Add content from: SQLMap: Testing SQL Database Vulnerabilities

2025-10-10 18:36:50 +00:00 · 2025-07-29 18:42:06 +00:00 · 2025-07-29 18:42:06 +00:00 · b4496aea9a
commit b4496aea9a
parent 18b2e7f2c0
2 changed files with 47 additions and 0 deletions
--- a/src/pentesting-web/sql-injection/sqlmap.md
+++ b/src/pentesting-web/sql-injection/sqlmap.md
@ -23,6 +23,26 @@
 --proxy=PROXY
 ```
 ### Technique flags (`--technique`)
 The `--technique` argument defines which SQL injection methods sqlmap will attempt.  
 Each character in the string represents a technique:
 | Letter | Technique | Description |
 | ------ | --------- | ----------- |
 | B | Boolean-based blind | Uses true/false conditions to infer data |
 | E | Error-based | Leverages verbose DBMS error messages to exfiltrate results |
 | U | UNION query | Injects `UNION SELECT` statements to fetch data via the same channel |
 | S | Stacked queries | Adds additional statements separated by `;` |
 | T | Time-based blind | Relies on delays (`SLEEP`, `WAITFOR`) to detect injection |
 | Q | Inline / out-of-band | Uses functions such as `LOAD_FILE()` or OOB channels like DNS |
 Default order is `BEUSTQ`. You can rearrange or limit them, e.g. only Boolean and Time-based in that order:
 ```bash
 sqlmap -u "http://target/?id=1" --technique="BT" --batch
 ```
 ### Retrieve Information
 #### Internal
@ -192,6 +212,9 @@ sqlmap -r r.txt -p id --not-string ridiculous --batch
 | versionedmorekeywords.py     | Encloses each keyword with versioned MySQL comment                                                                                 |
 | xforwardedfor.py             | Append a fake HTTP header 'X-Forwarded-For'                                                                                        |
 ## References
 - [SQLMap: Testing SQL Database Vulnerabilities](https://blog.bughunt.com.br/sqlmap-vulnerabilidades-banco-de-dados/)
 {{#include ../../banners/hacktricks-training.md}}
--- a/src/pentesting-web/sql-injection/sqlmap/README.md
+++ b/src/pentesting-web/sql-injection/sqlmap/README.md
@ -25,6 +25,27 @@
 --union-char "GsFRts2" #Help sqlmap identify union SQLi techniques with a weird union char
 ```
 ### Technique flags (`--technique`)
 The `--technique` option lets you restrict or reorder the SQL injection techniques sqlmap will test.  
 Each letter corresponds to a different class of payloads:
 | Letter | Technique | Description |
 | ------ | --------- | ----------- |
 | B | Boolean-based blind | Uses true/false conditions in the page response to infer results |
 | E | Error-based | Leverages verbose DBMS error messages to extract data |
 | U | UNION query | Injects `UNION SELECT` statements to fetch data via the same channel |
 | S | Stacked queries | Appends extra statements separated by a SQL delimiter (`;`) |
 | T | Time-based blind | Relies on `SLEEP/WAITFOR` delays to detect injectable conditions |
 | Q | Inline / out-of-band | Utilises functions such as `LOAD_FILE()` or DNS exfiltration to extract data |
 The default order that sqlmap will follow is `BEUSTQ` (all techniques).  
 You can change both the order and the subset. For instance, the following command will **only** attempt UNION query and Time-based blind techniques, trying UNION first:
 ```bash
 sqlmap -u "http://target.tld/page.php?id=1" --technique="UT" --batch
 ```
 ### Retrieve Information
 #### Internal
@ -228,6 +249,9 @@ Remember that **you can create your own tamper in python** and it's very simple.
 | xforwardedfor.py             | Append a fake HTTP header 'X-Forwarded-For'                                                                                        |
 ## References
 - [SQLMap: Testing SQL Database Vulnerabilities](https://blog.bughunt.com.br/sqlmap-vulnerabilidades-banco-de-dados/)
 {{#include ../../../banners/hacktricks-training.md}}