Article Directory
10.5. SQLMap usage
installationgit clone https://github.com/sqlmapproject/sqlmap.git sqlmap
10.5.1. Common parameters
-
-u --urlSpecify the target url -
-mAcquiring a plurality of scan target from the text
--rLoad HTTP request from a file -
--dataSubmit data by POST -
-random-agentRandom ua -
--user-agentDesignated ua -
--delaySet the delay between requests -
--timeoutSpecify timeout period
---dbmsspecify db, db supported by sqlmap include MySQL, Oracle, PostgreSQL, Microsoft SQL Server, Microsoft Access, SQLite, etc. -
--osSpecify the database server operating system
---tamperspecify tamper -
--levelSpecify detection level -
--riskAssign risk level -
--techniqueInjection technique- B: Boolean-based blind SQL injection
- E: Error-based SQL injection
- U: UNION query SQL injection
- S: Stacked queries SQL injection
- T: Time-based blind SQL injection
10.5.2. Tamper Quick Look
| Screenplay name | effect |
|---|---|
| apostrophemask.py | Use utf8 instead of quotation marks |
| equaltolike.py | like instead of equal sign |
| space2dash.py | Bypass the filter'=' replace the space character ("), (''-') followed by a dash comment, a random string and a new line ('n') |
| greatest.py | Bypass the filter'>' and replace the greater than sign with GREATEST. |
| space2hash.py | Replace spaces with # random strings and line breaks |
| apostrophenullencode.py | Bypass filtering double quotes, replace characters and double quotes. |
| halfversionedmorekeywords.py | When the database is mysql, bypass the firewall, add mysql version comments before each keyword |
| space2morehash.py | Replace spaces with # signs and more random string newlines |
| appendnullbyte.py | Load zero-byte character encoding at the end of the payload |
| ifnull2ifisnull.py | Bypass IFNULL filtering. Replace something like'IFNULL(A, B)' with'IF(ISNULL(A), B, A)' |
| space2mssqlblank.py | Replace spaces with other empty symbols |
| base64encode.py | Replace with base64 encoding |
| space2mssqlhash.py | Replace spaces |
| modsecurityversioned.py | Filter spaces and include complete query version comments |
| space2mysqlblank.py | Replace other blank symbols with spaces (mysql) |
| between.py | Replace the greater than sign (>) with between |
| space2mysqldash.py | Replace space characters (") ('-') followed by a dash to comment a new line ('n') |
| multiplespaces.py | Add multiple spaces around SQL keywords |
| space2plus.py | Replace spaces with + |
| bluecoat.py | Replace the SQL statement with a valid random blank character after the space character. Then replace = with like |
| nonrecursivereplacement.py | Replace the predefined SQL keyword with means suitable for replacement (for example, .replace("SELECT", "")) filters |
| space2randomblank.py | Replace the space character ("") with a valid set of optional characters from a random white space character |
| sp_password.py | Append sp_password' from the end of the payload of the automatic obfuscation of the DBMS log |
| chardoubleencode.py | Double URL encoding (do not handle encoding) |
| unionalltounion.py | Replace UNION ALL SELECT UNION SELECT |
| charencode.py | url encoding |
| randomcase.py | Random case |
| unmagicquotes.py | Wide character bypass GPC addslashes |
| randomcomments.py | With /**/split sql keyword |
| charunicodeencode.py | String unicode encoding |
| securesphere.py | Append a special string |
| versionedmorekeywords.py | Comment bypass |
| space2comment.py | Replaces space character' 'with comments /**/ |