Stack Overflow
Stack Overflow

Questions tagged [sqlmap]

sqlmap is an "Automatic SQL injection and database takeover tool". It can be used to detect flaws in any software with an underlying SQL database

sqlmap is an open source penetration testing tool that automates the process of detecting and exploiting SQL injection flaws and taking over of database servers. It comes with a powerful detection engine, many niche features for the ultimate penetration tester and a broad range of switches lasting from database fingerprinting, over data fetching from the database, to accessing the underlying file system and executing commands on the operating system via out-of-band connections

128 questions
11
votes
3 answers

SQLMAP - Post JSON data as body

Hi I'm trying to do a SQL injection in a login form. With BurpSuite I intercept the request: POST /xxxx/web/Login HTTP/1.1 Host: 10.0.0.70:42020 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:49.0) Gecko/20100101 Firefox/49.0 Accept:…
ronIDX
  • 758
  • 1
  • 5
  • 20
9
votes
5 answers

Specify parameters with SQLMAP

I'm a student learning php & mysql development. i have setup a private lab ( VM ) inside my computer to test & learn how sql injection works. When things get harder i use sqlmap to exploit and later on study the requests it made to my test app using…
DriverBoy
  • 3,047
  • 3
  • 19
  • 21
7
votes
1 answer

Setting particular type of attack with Sqlmap

Instead of testing all the possible attacks using sqlmap, is there any way to test a vulnerable server using a particular type of attack only? For example, I only want to attack a webserver with PostgreSQL stacked conditional-error blind queries. Is…
user4895437
  • 71
  • 1
  • 3
6
votes
1 answer

How do i add a user name and a password to sqlmap?

I was running a SQLInjection with sqlmap. My page has an error of sql but the error shows up once you logged in your account(Example: page.com/login.php and when you log you go to page.com/index.php?id=1 and here the sql error is evident). When i…
jdcaba
  • 123
  • 2
  • 2
  • 10
6
votes
1 answer

SQLMAP - how to insert into a database if stacked queries are not possible on a MYSQL server?

Pulling database tables and columns works fine using SQLMAP, but as I try to execute an INSERT statement I get the following error: query: sqlmap -u "http://www.example.com/details.php?item_id=327" -D main_db -T orders --columns --sql-query \…
Edmond Tamas
  • 3,148
  • 9
  • 44
  • 89
6
votes
4 answers

How to inject a part of cookie using sqlmap

I need to do SQL injection on a part of cookie using sqlmap. The target URL is static. A sample cookie: Cookie1=blah_var1/blah_val1/blah_var2/blah_val2/searchtext/userinput/blah_var3/blah_val3/.../ In this cookie i need to inject the "userinput"…
jerald
  • 71
  • 1
  • 2
  • 5
6
votes
2 answers

Sqlmap traffic capture

I am trying to understand how SQLmap works. For example, sqlmap finds injection on my site - Place: GET Parameter: selected Type: UNION query Title: MySQL UNION query (NULL) - 5 columns Payload: act=il&ed=1' LIMIT 1,1 UNION ALL SELECT…
Dmitrij Holkin
  • 1,995
  • 3
  • 39
  • 86
5
votes
2 answers

Sqlmap, using technique

In sqlmap I want to use time-based blind sqli technique. --technique= comes with a default of BEUSTQ which letter should use for time based blind only?
user8377060
5
votes
1 answer

What's the difference between data source type pooled and unpooled?

I configuring mybatis and I must to choose a data source type POOLED or UNPOOLED. In that case what's the difference between data source type pooled and unpooled?
Emre Sevinç
  • 63
  • 1
  • 6
5
votes
3 answers

Sqlmap dont work over TOR Vidalia in WindowsXP

D:\Python27>python sqlmap\sqlmap.py -u www.mail.ru --tor sqlmap/1.0-dev - automatic SQL injection and database takeover tool http://sqlmap.org [!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is…
Dmitrij Holkin
  • 1,995
  • 3
  • 39
  • 86
5
votes
4 answers

sqlmap is too slow

Here's an example. Just trying to list the databases: python sqlmap.py -u "http://somesite.com/?id=1" --dbs [15:20:32] [INFO] fetching database names [15:20:32] [INFO] fetching number of databases [15:20:32] [WARNING] time-based comparison needs…
Farzher
  • 13,934
  • 21
  • 69
  • 100
4
votes
1 answer

Sqlmap post data

I was trying to run sqlmap with method POST but I got this error: [CRITICAL] no parameter(s) found for testing in the provided data (e.g. GET parameter 'id' in 'www.site.com/index.php?id=1') Now, I know that for POST method I must run sqlmap with…
Jorj
  • 1,291
  • 1
  • 11
  • 32
3
votes
2 answers

SQLMap: Can't establish SSL Connection: Need Solution

Am trying to use SQLMap with https but when i try "C:\Python27\sqlmap>sqlmap.py -u https://localhost:8774/App/console/index.jsp --force-ssl" it returns "Can't establish SSL Connection". So it there any way that i can pass SSL certificate to…
Hafiz Muhammad Emraan
  • 53
  • 1
  • 1
  • 4
3
votes
0 answers

mybatis typeHandler not work

I have a sql like this and resultMap like this
byron
  • 41
  • 3
3
votes
0 answers

SQLMap and SSL error

python sqlmap.py -u "https://bake-house.com/" --random-agent -v 3 [15:38:18] [DEBUG] cleaning up configuration parameters [15:38:18] [DEBUG] checking for WebSocket [15:38:18] [DEBUG] setting the HTTP timeout [15:38:18] [DEBUG] loading random…
modoyupiwa
  • 31
  • 1
  • 2
1
2 3
8 9