11.5. SQLMap Usage

sqlmap works out of the box with Python version 2.6, 2.7 and 3.x on any platform.

Installation: git clone https://github.com/sqlmapproject/sqlmap.git sqlmap

11.5.1. Common parameters

  • -u --url Target URL (e.g. “http://www.site.com/vuln.php?id=1”)

  • -m Scan multiple targets given in a textual file

  • -r Load HTTP request from a file

  • --data Data string to be sent through POST (e.g. “id=1”)

  • -random-agent Use randomly selected HTTP User-Agent header value

  • --user-agent Specify User-Agent

  • --delay Delay in seconds between each HTTP request

  • --timeout Seconds to wait before timeout connection (default 30)

  • --dbms Force back-end DBMS to provided value,support db:MySQL、Oracle、PostgreSQL、Microsoft SQL Server、Microsoft Access、SQLite etc.

  • --os Force back-end DBMS operating system to provided value

  • --tamper Use given script(s) for tampering injection data

  • --level Level of tests to perform (1-5, default 1)

  • --risk Risk of tests to perform (1-3, default 1)

  • --technique SQL injection techniques to use (default “BEUSTQ”)

    • B: Boolean-based blind SQL injection

    • E: Error-based SQL injection

    • U: UNION query SQL injection

    • S: Stacked queries SQL injection

    • T: Time-based blind SQL injection

11.5.2. Tamper Quick Check

script name

effect

apostrophemask.py

replace quotes with utf8

equaltolike.py

like replaces the equals sign

space2dash.py

Bypass filtering ‘=’ replaces space characters (“), (’’ - ‘) followed by a dash comment, a random string and a new line (‘n’)

greatest.py

Bypass the filter ‘>’ and replace the greater than sign with GREATEST

space2hash.py

Spaces are replaced with random strings with # signs and newlines

apostrophenullencode.py

Bypass filtering double quotes, replace characters and double quotes

halfversionedmorekeywords.py

Bypass firewall when database is mysql, add mysql version comment before each keyword

space2morehash.py

Spaces are replaced with # signs and more random string newlines

appendnullbyte.py

Load zero-byte character encoding at end of payload

ifnull2ifisnull.py

Bypass filtering for IFNULL. Replace something like ‘IFNULL(A, B)’ with ‘IF(ISNULL(A), B, A)’

space2mssqlblank.py

Replace spaces with other empty symbols

base64encode.py

replace with base64 encoding

space2mssqlhash.py

replace spaces

modsecurityversioned.py

Filter whitespace, include full query version comments

space2mysqlblank.py

Spaces replace other whitespace symbols (mysql)

between.py

Replace the greater than sign (>) with between

space2mysqldash.py

Replace a space character (”) (‘-’) followed by a dash comment to a new line (‘n’)

multiplespaces.py

Add multiple spaces around SQL keywords

space2plus.py

replace spaces with +

bluecoat.py

Replace the space character after the SQL statement with a valid random whitespace character. then replace = with like

nonrecursivereplacement.py

Replace the predefined SQL keyword with to indicate suitable for replacement (eg. replace(“SELECT”, “”)) filters

space2randomblank.py

Replace the whitespace character (“”) with a random whitespace character from a valid set of optional characters

sp_password.py

Append sp_password’ from the end of the DBMS log’s automatic obfuscation payload

chardoubleencode.py

Double url encoding (does not handle encoded)

unionalltounion.py

Replace UNION ALL SELECT UNION SELECT

charencode.py

url encoding

randomcase.py

random case

unmagicquotes.py

Wide character bypass GPC addslashes

randomcomments.py

Split the sql keyword with /**/

charunicodeencode.py

String unicode encoding

securesphere.py

Append specially crafted string

versionedmorekeywords.py

Comment bypass

space2comment.py

Replaces space character ' ' with comments /**/