Sqlmap Advance Usage

1. Use Multiple Techniques

SQLmap supports multiple techniques to detect and exploit SQL injection vulnerabilities. By default, SQLmap uses all available techniques to test the target. However, you can specify the specific techniques to be used with the -technique option.

sqlmap -u <URL> -p <Parameter> --technique=BEUSTQ

This command will only use Boolean, Error-based, Union-based, Stacked, Time-based, and Query-based techniques.

2. Use Tamper Scripts

Tamper scripts are custom scripts that modify the SQL injection payloads sent to the target server. Tamper scripts can be used to bypass web application firewalls or other security measures that may be in place. SQLmap includes several built-in tamper scripts, and you can also create your own custom scripts.

sqlmap -u <URL> -p <Parameter> --tamper=space2comment.py

This command will use the space2comment.py tamper script to replace spaces with comments in the SQL injection payloads.

3. Use Level and Risk Parameters

The --level and --risk parameters allow you to control the aggressiveness of SQLmap’s testing. The --level parameter ranges from 1 to 5, with 5 being the most aggressive level of testing. The --risk parameter ranges from 0 to 3, with 3 being the highest level of risk for exploitation.

sqlmap -u <URL> -p <Parameter> --level=5 --risk=3

This command will run SQLmap with the most aggressive level of testing and the highest level of risk for exploitation.

4. Use Proxy and Tor

SQLmap allows you to use a proxy or Tor to anonymize your traffic and bypass IP-based restrictions. You can use the --proxy option to specify a proxy server and the --tor option to use Tor.

sqlmap -u <URL> -p <Parameter> --proxy=http://localhost:8080

This command will use a proxy server running on localhost on port 8080.

5. Use Session and Cookie Options

SQLmap allows you to use a session or cookie to authenticate to the target web application. You can use the -cookie option to specify a cookie value and the -session option to use a saved session.

sqlmap -u <URL> -p <Parameter> -cookie="PHPSESSID=abc123"

This command will use the specified cookie value to authenticate to the target web application.

6. Use Direct Connection to the Database

SQLmap can directly connect to the target database server and perform its tests, without going through the web application. This method is useful when the target application is protected by a web application firewall or other security measures.

sqlmap -u <URL> -p <Parameter> --dbms=mysql -D database -T table --direct

This command will directly connect to the MySQL database server and enumerate the tables in the specified database.

Tags: , , , , , , , , , ,

Leave a Reply