# SQL Injection

## SQLmap

### Automated sqlmap scan

{% code overflow="wrap" lineNumbers="true" fullWidth="false" %}

```bash
sqlmap -u http://site.com --forms --batch --crawl=2 --cookie= --level=5 --risk=3
```

{% endcode %}

### All-in-one line

This command sets up sqlmap to perform a thorough and aggressive scan, using a proxy, forcing SSL connections, implementing a random delay, and employing techniques to evade detection.&#x20;

{% hint style="info" %}
For logging details refer to [#logging-scans](#logging-scans "mention")

For throttle time refer to [#throttle-time](#throttle-time "mention")
{% endhint %}

{% code overflow="wrap" lineNumbers="true" %}

```bash
sqlmap -r <REQUEST FILE> --proxy http://127.0.0.1:8080 --level=5 --risk=3 -v 3 --force-ssl -f --random-agent -a --output=. -t sqlmap.traffic --eval="import time; import random; time.sleep(random.randint(1,10))"
```

{% endcode %}

{% hint style="warning" %}
In **Docker for Mac**, using a local LAN IP (like `191.168.68.82`) from inside a container to talk to the host can sometimes be flaky due to how the Docker Desktop networking bridge is configured.

The Fix: Use the special DNS name Docker provides to reach the host and remove `--force-ssl` if your request file (`req1`) already specifies the port (443) or if the `Host` header is sufficient.

**Summary:** Change your proxy flag to: `--proxy http://host.docker.internal:8081`  and remove `--force-ssl`&#x20;
{% endhint %}

{% hint style="info" %}

* `sqlmap`: The main command to run the sqlmap tool.
* `-r <REQUEST FILE>`: Reads the HTTP request from a specified file. This is useful when working with complex or authenticated requests.
* `--proxy http://127.0.0.1:8080`: Routes sqlmap traffic through a proxy on localhost at port 8080. This is commonly used to pass traffic through tools like Burp Suite.
* `--level=5`: Sets the test level to 5, which is the highest. This makes sqlmap perform more thorough and detailed tests.
* `--risk=3`: Sets the risk level to 3, which is the highest. This allows sqlmap to use more aggressive payloads that could potentially modify the database.
* `-v 3`: Sets the verbosity level to 3, providing more detailed information about the scanning process.
* `--force-ssl`: Forces sqlmap to use SSL/TLS for all connections.
* `-f`: Perform an extensive DBMS version fingerprint
* `--random-agent`: Uses a random HTTP User-Agent for each request, which helps avoid detection.
* `-a`: This option retrieves everything.
* `--output=/path/to/output_directory`: Specifies the directory where the scan results will be saved.
* `-t`: Will save all the HTTP requests and responses to `sqlmap.traffic` file
* `--eval="import time; import random; time.sleep(random.randint(1,10))"`: Implements a random throttle delay time
  {% endhint %}

### Throttle Time

To set a throttle time in sqlmap, you can use the `--delay` option. This option allows you to specify a delay in seconds between each HTTP request.

```bash
sqlmap -u "http://site.com" --delay=2
```

The `--delay` parameter in SQLMap does not directly allow setting a random time. The `--delay` is used to specify a fixed delay in seconds between each HTTP request.

However, there are some alternatives to achieve a random delay:

1. Using the `--eval` parameter: This parameter allows you to execute Python code before each request. You can use it to implement a random delay:

{% code overflow="wrap" lineNumbers="true" %}

```bash
sqlmap -u "http://site.com" --eval="import time; import random; time.sleep(random.randint(1,10))"
```

{% endcode %}

2. Creating a custom script: You can develop a script that runs SQLMap with different `--delay` values randomly.
3. Using the `--randomize` option: Although not directly related to delay, this option allows you to randomly change the value of specified parameters, which can help make the attack less predictable.

It's important to remember that using random delays can make the scan slower, but it can also help avoid detection by security systems.

### Logging Scans

When using `sqlmap`, you can save logs and output to files for later review. Here's how you can do it:

#### 1. **Basic Output to a Log File**

By default, `sqlmap` stores its logs in the current directory under the `.sqlmap` directory. If you want to specify a particular output directory or log file, you can use the `-o` or `--output-dir` options:

{% code overflow="wrap" lineNumbers="true" %}

```bash
sqlmap -u "<http://example.com/vulnerable_page.php?id=1>" --output-dir=/path/to/output_directory
```

{% endcode %}

This will store all the results in the specified directory.

#### 2. **Saving Command Output to a File**

You can redirect the terminal output to a file using standard shell redirection:

{% code overflow="wrap" lineNumbers="true" %}

```bash
sqlmap -u "<http://example.com/vulnerable_page.php?id=1>" | tee output.log
```

{% endcode %}

This command will display the output in the terminal and save it to `output.log` at the same time.

#### 3. **Verbose Output**

To increase the verbosity of the logs, use the `-v` option. You can specify levels from 0 to 6:

{% code overflow="wrap" lineNumbers="true" %}

```bash
sqlmap -u "<http://example.com/vulnerable_page.php?id=1>" -v 3 | tee output.log
```

{% endcode %}

#### 4. **Saving Data to a Custom File**

To save the results to a specific file (for example, `output.txt`), you can use:

{% code overflow="wrap" lineNumbers="true" %}

```bash
sqlmap -u "<http://example.com/vulnerable_page.php?id=1>" --batch --output-dir=/path/to/output_directory --output-format=txt > output.txt
```

{% endcode %}

This command will save the results in the `output.txt` file.

#### 5. **Automatically Store HTTP Traffic**

If you want to store all HTTP traffic during the scan, use the `-t` option:

{% code overflow="wrap" lineNumbers="true" %}

```bash
sqlmap -u "<http://example.com/vulnerable_page.php?id=1>" -t traffic.txt
```

{% endcode %}

This will save all the HTTP requests and responses to `traffic.txt`.

#### 6. **Storing Session**

You can store a session for future use with the `-s` or `--session` option:

{% code overflow="wrap" lineNumbers="true" %}

```bash
sqlmap -u "<http://example.com/vulnerable_page.php?id=1>" --session=session_file
```

{% endcode %}

This will store the session in `session_file`, which can be reused in future commands.

By using these methods, you can ensure that all your `sqlmap` activities are properly logged and saved for later analysis.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://pcastagnaro.gitbook.io/pentest-bug-bounty-resources/pentest-bounty-resources/web/injection/sql-injection.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.