SQLMAP | Notion

SQLMap
- SQLMap uses techniques like
  - B- Boolean based blind
  - E - Error Based
  - U - Union Query based
  - S - stacked queries
  - T - Time based blind
  - Q - Inline queries
- Crawl
  - when a website is given to sqlmap it crawls the whole website and tells which all parameters are vulnerable for SQL Injection
- SQLMap commands
  - sqlmap -u <website-link> - -crawl 2 - -batch ————- this will crawl the website with 2 of the pages found in that existing link. in this command the batch command will answer the default answers.
  - using Technique when we want to crawl the websites with the help of techniques we use the same command.
    - sqlmap -u <website-link> - -crawl 3 - -technique=”B/E/U/S/T/Q” - -batch
  - SQLInjection using Thread
    - In sqlmap, the --threads option is used to increase the number of concurrent HTTP requests sent to the target web server. The default value for --threads is 1. By increasing this value, sqlmap can perform tasks like testing for vulnerabilities or extracting data much faster.
    - thread can be from 1-10
    - command will be the same ———— sqlmap -u <website-link> - -crawl 2 - -batch - -thread 5
  - RISK
    - The higher the risk level, the more aggressive and potentially disruptive the tests become.
    - -risk=1 (Default): This is the safest and least intrusive setting. It uses payloads that are generally harmless and unlikely to alter or damage the target database. This level is suitable for initial reconnaissance and testing on production systems.
    - -risk=2: This level adds more complex and potentially heavy query time-based blind injection tests. These tests can put a significant load on the database server and may be more likely to trigger a Web Application Firewall (WAF).
    - -risk=3: This is the highest and most intrusive risk level. It includes all the payloads from risk level 1 and 2, and also adds **OR**based SQL injection tests and other payloads that could potentially modify or delete data in the database. This level should be used with extreme caution and only on systems where you have explicit permission for destructive testing.
    - command ————— sqlmap -u <website-link> - -crawl 2 - -batch - -risk 3
  - LEVEL
    - Key Difference Between -risk and -level
    It's important to distinguish risk from level.
    - -level: Controls the scope of the scan, determining which parts of an HTTP request (like GET/POST parameters, cookies, or headers) are tested for vulnerabilities. A higher level means sqlmap tests more injection points.
    - -risk: Controls the intrusiveness of the payloads themselves. A higher risk means sqlmap uses more dangerous queries that could potentially affect the integrity of the database.
    - sqlmap -u <website-link> - -crawl 2 - -batch - -level 1
  - Verbosity
    - In sqlmap, verbosity refers to the level of detail in the output displayed on the console. It's controlled by the -v or --verbose option, which can be set to an integer value from 0 to 6. A higher verbosity level provides more information about what sqlmap is doing behind the scenes.
    Verbosity Levels
    - 0: Shows only Python tracebacks, error, and critical messages. This is the quietest setting, ideal for automated scripts or when you only want to see problems.
    - 1 (Default): Shows information, warning, and error messages. This is the standard level, providing a good balance of feedback without being overwhelming.
    - 2: Adds debug messages. This level is useful for troubleshooting when you need to see more internal details of the scanning process.
    - 3: Shows the payloads that sqlmap is injecting into the target. This is very useful for understanding how the tool is attacking the web application and for debugging your own custom payloads.
    - 4: Shows the full HTTP requests that sqlmap is sending. This is a very detailed level, allowing you to see the exact requests, including headers and parameters, before they are sent to the server.
    - 5: Shows the HTTP requests and the HTTP response headers. This gives you a view of the server's response headers, which can be useful for debugging or identifying the web server and its technologies.
    - 6: Shows the full HTTP requests and responses, including the entire page content. This is the most verbose level and is great for in-depth analysis and debugging, as you can see exactly what the server returned for each request.
    - cmd ——- sqlmap -u <website-link> - -crawl 2 - -batch - - v 4
    - here in verbosity we will give value according to what results we want
  - USER enumeration
    - In sqlmap, user enumeration refers to the process of discovering the names of the database users with a specific privilege, or all of the users that exist within the database management system. This is done after sqlmap has successfully identified a SQL injection vulnerability.
    - vulnerable urls will be urls that have valid sql injection possible
    - commands ———— sqlmap -u <vulnerable-url> - -current-user - -current-db - -hostname - -batch
      - this command will give me the name of the current user, current database name and the hostname of the database.
    - command ———- sqlmap -u <vulnerable-url> - -dbs - -batch
      - this command gives me information about all the databases are there
    - command ———- sqlmap -u <vulnerable-url> - -batch -D <database name> - -tables
      - this commands gives us the tables in the database
    - command —————- sqlmap -u <vulnerable-url> -D <database-name> -T <table-name> - -dump
      - this commands gives us the details inside the table that we specified
    - command ———- sqlmap -u <vulnerable-url> -D <database-name> -T <table-name> - -columns
      - this command gives us the datatype of the columns in that table
    - command ————- sqlmap -u <vulnerable-url> -D <database-name> -T <table-name> - -dump
    - command ——- sqlmap -u <vulnerable-url> -D <database-name> - -dump-all
      - this command dumps all the data from the database
  - Output dir

Verbosity Levels