Pentest & Bug Bounty Resources and Techniques
  • Pentest & Bug Bounty Resources and Techniques
    • Introduction
    • Tests Checklist
    • OSINT
    • Communications Security
      • SSL/TLS
    • Networking
      • Subdomains Discovery
        • DNS & OSINT
        • DNS Brute force
          • Second DNS Brute-Force Round
      • Subdomain Takeover
      • Network Host Scan/Discovery
        • External/Internal
        • Internal only
      • Network Vulnerability Scanning
      • Network Hacking
      • Parsing
      • Reporting
    • Brute Force
      • Wordlists
      • Databases
      • SSH
    • Web
      • Endpoint Discovery
      • Infrastructure & Configuration
        • Headers
        • WAF Detection/ Evasion
      • Injection
        • GraphQL
        • Cross-Site Scripting (XSS)
        • SQL Injection
        • Payloads
      • SSRF & XXE
        • Labs & Resources
        • Tools
        • SVG SSRF Cheatsheet
        • XXE - XEE - XML External Entity
      • JWT Vulnerabilities (Json Web Tokens)
      • HTTP/S DoS
    • Mobile
      • Both
        • SAST
          • MobSF
        • DAST
          • Installing Frida and Objection
      • Android
        • Create a Lab
          • Rooting Android Emulator
          • Rooting Android Emulator Cheat Sheet
        • APK Certificates
        • SAST
          • APKs
            • Get Information from APK
            • GDA (GJoy Dex Analysizer)
            • Scanning APK for URIs, endpoints & secrets
            • Google Maps API Scanner
        • DAST
          • Rooting the Android Studio AVDs
          • non-Rooted devices
            • Bypass SSL Pinning - non-rooted devices
              • Method 1: apk-mitm
              • Instrumentation with Frida and Objection
                • Bypass SSL Pinning - Method 2: With Objection Explore
                • Bypass SSL Pinning - Method 3: With root_bypass.js
          • Rooted Devices
            • Run frida-server in the emulator or device
            • Inject Frida
            • Bypass SSL Pinning - rooted devices
              • Install Burp CA as a system-level CA on the device
      • iOS
        • SAST
          • Building a reverse iOS engineering environment for free
          • Test Vulnerabilities
  • Lets Practice
    • Virtual Machines
    • Vulnerable App
    • Guided Labs
    • CTFs
  • Group 1
    • AI
Powered by GitBook
On this page
  • SQLmap
  • Automated sqlmap scan
  • All-in-one line
  • Throttle Time
  • Logging Scans
  1. Pentest & Bug Bounty Resources and Techniques
  2. Web
  3. Injection

SQL Injection

SQLmap

Automated sqlmap scan

sqlmap -u http://site.com --forms --batch --crawl=2 --cookie= --level=5 --risk=3

All-in-one line

This command sets up sqlmap to perform a thorough and aggressive scan, using a proxy, forcing SSL connections, implementing a random delay, and employing techniques to evade detection.

For logging details refer to Logging Scans

For throttle time refer to Throttle Time

sqlmap -r <REQUEST FILE> --proxy http://127.0.0.1:8080 --level=5 --risk=3 -v 3 --force-ssl -f --random-agent -a --output==/path/to/output_directory -t sqlmap.traffic --eval="import time; import random; time.sleep(random.randint(1,10))"

  • sqlmap: The main command to run the sqlmap tool.

  • -r <REQUEST FILE>: Reads the HTTP request from a specified file. This is useful when working with complex or authenticated requests.

  • --proxy http://127.0.0.1:8080: Routes sqlmap traffic through a proxy on localhost at port 8080. This is commonly used to pass traffic through tools like Burp Suite.

  • --level=5: Sets the test level to 5, which is the highest. This makes sqlmap perform more thorough and detailed tests.

  • --risk=3: Sets the risk level to 3, which is the highest. This allows sqlmap to use more aggressive payloads that could potentially modify the database.

  • -v 3: Sets the verbosity level to 3, providing more detailed information about the scanning process.

  • --force-ssl: Forces sqlmap to use SSL/TLS for all connections.

  • -f: Perform an extensive DBMS version fingerprint

  • --random-agent: Uses a random HTTP User-Agent for each request, which helps avoid detection.

  • -a: This option retrieves everything.

  • --output==/path/to/output_directory: Specifies the directory where the scan results will be saved.

  • -t: Will save all the HTTP requests and responses to sqlmap.traffic file

  • --eval="import time; import random; time.sleep(random.randint(1,10))": Implements a random throttle delay time

Throttle Time

To set a throttle time in sqlmap, you can use the --delay option. This option allows you to specify a delay in seconds between each HTTP request.

sqlmap -u "http://site.com" --delay=2

The --delay parameter in SQLMap does not directly allow setting a random time. The --delay is used to specify a fixed delay in seconds between each HTTP request.

However, there are some alternatives to achieve a random delay:

  1. Using the --eval parameter: This parameter allows you to execute Python code before each request. You can use it to implement a random delay:

sqlmap -u "http://site.com" --eval="import time; import random; time.sleep(random.randint(1,10))"

  1. Creating a custom script: You can develop a script that runs SQLMap with different --delay values randomly.

  2. Using the --randomize option: Although not directly related to delay, this option allows you to randomly change the value of specified parameters, which can help make the attack less predictable.

It's important to remember that using random delays can make the scan slower, but it can also help avoid detection by security systems.

Logging Scans

When using sqlmap, you can save logs and output to files for later review. Here's how you can do it:

1. Basic Output to a Log File

By default, sqlmap stores its logs in the current directory under the .sqlmap directory. If you want to specify a particular output directory or log file, you can use the -o or --output-dir options:

sqlmap -u "<http://example.com/vulnerable_page.php?id=1>" --output-dir=/path/to/output_directory

This will store all the results in the specified directory.

2. Saving Command Output to a File

You can redirect the terminal output to a file using standard shell redirection:

sqlmap -u "<http://example.com/vulnerable_page.php?id=1>" | tee output.log

This command will display the output in the terminal and save it to output.log at the same time.

3. Verbose Output

To increase the verbosity of the logs, use the -v option. You can specify levels from 0 to 6:

sqlmap -u "<http://example.com/vulnerable_page.php?id=1>" -v 3 | tee output.log

4. Saving Data to a Custom File

To save the results to a specific file (for example, output.txt), you can use:

sqlmap -u "<http://example.com/vulnerable_page.php?id=1>" --batch --output-dir=/path/to/output_directory --output-format=txt > output.txt

This command will save the results in the output.txt file.

5. Automatically Store HTTP Traffic

If you want to store all HTTP traffic during the scan, use the -t option:

sqlmap -u "<http://example.com/vulnerable_page.php?id=1>" -t traffic.txt

This will save all the HTTP requests and responses to traffic.txt.

6. Storing Session

You can store a session for future use with the -s or --session option:

sqlmap -u "<http://example.com/vulnerable_page.php?id=1>" --session=session_file

This will store the session in session_file, which can be reused in future commands.

By using these methods, you can ensure that all your sqlmap activities are properly logged and saved for later analysis.

PreviousCross-Site Scripting (XSS)NextPayloads

Last updated 4 months ago