KCN

Kaldei's Cybersecurity Notes

SQLMAP

An automatic SQL injection and database takeover tool.

https://github.com/sqlmapproject/sqlmap

GET Parameter

sqlmap -u "http://[TARGET_IP]/books?author=Bob" -p author
Look for SQL injection in author parameter.

POST Parameter

sqlmap -u "http://[TARGET_IP]/search" --data="name=Bob"
Look for SQL injection in post parameter.

Burp Capture

sqlmap -r [fileFromBurpIntercept] --batch
Look for SQL injection from a BurpSuite capture.

Flags

-p
Provide parameter which seems to be injectable.
-u
Provide URL for the attack.
--dbms
Tell SQLMap the type of database that is running.

--dump
Dump the data within the database that the application uses. --dump-all
Dump the ENTIRE database.

--batch
SQLMap will run automatically and won't ask for user input.