From 8102d66dbb70fb70cc4054fa44ea6939a0bfe76a Mon Sep 17 00:00:00 2001 From: HackTricks News Bot Date: Tue, 29 Jul 2025 18:42:06 +0000 Subject: [PATCH] Add content from: SQLMap: Testing SQL Database Vulnerabilities --- src/pentesting-web/sql-injection/sqlmap.md | 23 ++++++++++++++++++ .../sql-injection/sqlmap/README.md | 24 +++++++++++++++++++ 2 files changed, 47 insertions(+) diff --git a/src/pentesting-web/sql-injection/sqlmap.md b/src/pentesting-web/sql-injection/sqlmap.md index 14ba1626565..dea2e769478 100644 --- a/src/pentesting-web/sql-injection/sqlmap.md +++ b/src/pentesting-web/sql-injection/sqlmap.md @@ -23,6 +23,26 @@ --proxy=PROXY ``` +### Technique flags (`--technique`) + +The `--technique` argument defines which SQL injection methods sqlmap will attempt. +Each character in the string represents a technique: + +| Letter | Technique | Description | +| ------ | --------- | ----------- | +| B | Boolean-based blind | Uses true/false conditions to infer data | +| E | Error-based | Leverages verbose DBMS error messages to exfiltrate results | +| U | UNION query | Injects `UNION SELECT` statements to fetch data via the same channel | +| S | Stacked queries | Adds additional statements separated by `;` | +| T | Time-based blind | Relies on delays (`SLEEP`, `WAITFOR`) to detect injection | +| Q | Inline / out-of-band | Uses functions such as `LOAD_FILE()` or OOB channels like DNS | + +Default order is `BEUSTQ`. You can rearrange or limit them, e.g. only Boolean and Time-based in that order: + +```bash +sqlmap -u "http://target/?id=1" --technique="BT" --batch +``` + ### Retrieve Information #### Internal @@ -192,6 +212,9 @@ sqlmap -r r.txt -p id --not-string ridiculous --batch | versionedmorekeywords.py | Encloses each keyword with versioned MySQL comment | | xforwardedfor.py | Append a fake HTTP header 'X-Forwarded-For' | +## References +- [SQLMap: Testing SQL Database Vulnerabilities](https://blog.bughunt.com.br/sqlmap-vulnerabilidades-banco-de-dados/) + {{#include ../../banners/hacktricks-training.md}} diff --git a/src/pentesting-web/sql-injection/sqlmap/README.md b/src/pentesting-web/sql-injection/sqlmap/README.md index 3ad315c2086..033d897d683 100644 --- a/src/pentesting-web/sql-injection/sqlmap/README.md +++ b/src/pentesting-web/sql-injection/sqlmap/README.md @@ -25,6 +25,27 @@ --union-char "GsFRts2" #Help sqlmap identify union SQLi techniques with a weird union char ``` +### Technique flags (`--technique`) + +The `--technique` option lets you restrict or reorder the SQL injection techniques sqlmap will test. +Each letter corresponds to a different class of payloads: + +| Letter | Technique | Description | +| ------ | --------- | ----------- | +| B | Boolean-based blind | Uses true/false conditions in the page response to infer results | +| E | Error-based | Leverages verbose DBMS error messages to extract data | +| U | UNION query | Injects `UNION SELECT` statements to fetch data via the same channel | +| S | Stacked queries | Appends extra statements separated by a SQL delimiter (`;`) | +| T | Time-based blind | Relies on `SLEEP/WAITFOR` delays to detect injectable conditions | +| Q | Inline / out-of-band | Utilises functions such as `LOAD_FILE()` or DNS exfiltration to extract data | + +The default order that sqlmap will follow is `BEUSTQ` (all techniques). +You can change both the order and the subset. For instance, the following command will **only** attempt UNION query and Time-based blind techniques, trying UNION first: + +```bash +sqlmap -u "http://target.tld/page.php?id=1" --technique="UT" --batch +``` + ### Retrieve Information #### Internal @@ -228,6 +249,9 @@ Remember that **you can create your own tamper in python** and it's very simple. | xforwardedfor.py | Append a fake HTTP header 'X-Forwarded-For' | +## References +- [SQLMap: Testing SQL Database Vulnerabilities](https://blog.bughunt.com.br/sqlmap-vulnerabilidades-banco-de-dados/) + {{#include ../../../banners/hacktricks-training.md}}