search

Building Attacks

hashtag
Curl Commands

eldeim@htb[/htb]$ sqlmap 'http://www.example.com/?id=1' -H 'User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:80.0) Gecko/20100101 Firefox/80.0' -H 'Accept: image/webp,*/*' -H 'Accept-Language: en-US,en;q=0.5' --compressed -H 'Connection: keep-alive' -H 'DNT: 1'

hashtag
GET/POST Requests

hashtag
Custom SQLMap Requests

For example, if there is a requirement to specify the (session) cookie value to PHPSESSID=ab4530f4a7d10448457fa8b0eadac29c option --cookie would be used as follows:

The same effect can be done with the usage of option -H/--header:

Also, if we wanted to specify an alternative HTTP method, other than GET and POST (e.g., PUT), we can utilize the option --method, as follows:

hashtag
PoCs - Questions

First flag attach into parameter "id" via POST, we can copy the website curl

Second fllag, we need see all cookies and we do one with name id and value 1, ez

To end, we have a sqli JSON, yeah... Something inusual

hashtag
Attack Tuning

Every payload sent to the target consists of:

  • vector (e.g., UNION ALL SELECT 1,2,VERSION()): central part of the payload, carrying the useful SQL code to be executed at the target.

  • boundaries (e.g. '<vector>-- -): prefix and suffix formations, used for proper injection of the vector into the vulnerable SQL statement.

hashtag
Prefix/Suffix

For such runs, options --prefix and --suffix can be used as follows:

This will result in an enclosure of all vector values between the static prefix %')) and the suffix -- -.

hashtag
Level/Risk

For such demands, the options --level and --risk should be used:

  • The option --level (1-5, default 1) extends both vectors and boundaries being used, based on their expectancy of success (i.e., the lower the expectancy, the higher the level).

  • The option --risk (1-3, default 1) extends the used vector set based on their risk of causing problems at the target side (i.e., risk of database entry loss or denial-of-service).

As for the number of payloads, by default (i.e. --level=1 --risk=1), the number of payloads used for testing a single parameter goes up to 72, while in the most detailed case (--level=5 --risk=3) the number of payloads increases to 7,865.

hashtag
Techniques

For example, if we want to skip the time-based blind and stacking SQLi payloads and only test for the boolean-based blind, error-based, and UNION-query payloads, we can specify these techniques with --technique=BEU.

hashtag
PoCs - Questions

In this case, the flag is sending into the id for GET peticion and it is vulnerable

NAH.. the next flag is a same, GET peticion but the vuln vector is "col". OMFG, I waited 40 mints for get the flag because it is a time based blind

The end flag 7 is a get id union, another basic. We can see 5 columns too

PreviousSQLMap EssentialsNextDatabase Enumeration

Last updated