Stack Overflow
Stack Overflow

Questions tagged [sqlmap]

sqlmap is an "Automatic SQL injection and database takeover tool". It can be used to detect flaws in any software with an underlying SQL database

sqlmap is an open source penetration testing tool that automates the process of detecting and exploiting SQL injection flaws and taking over of database servers. It comes with a powerful detection engine, many niche features for the ultimate penetration tester and a broad range of switches lasting from database fingerprinting, over data fetching from the database, to accessing the underlying file system and executing commands on the operating system via out-of-band connections

128 questions
0
votes
1 answer

Why does SQLMap not find the database name?

I am currently working on a CTF. I managed to log into the app using manual SQLi in the password field. I then asked SQLMap to find more info, to no avail. Here is the command I use sqlmap -u http://10.150.150.146/reviewer/login/ --method=POST…
Crouzilles
  • 743
  • 2
  • 13
  • 26
0
votes
1 answer

sqlmap: how to test multiple targets with post data

I use -m switch in sqlmap to read targets from file and test all of them for sql injection. sqlmap -m requests-file.txt --batch There isn't problem with 'GET' requests and query string parameters. But in this way, I can't test requests with 'POST'…
amir shahpoori
  • 45
  • 2
  • 9
0
votes
0 answers

UnicodeDecodeError: 'utf-8' codec can't decode byte 0x9c in position 2: invalid start byte in PKG-INFO file

I am trying to use SQLmap for a hackerone CTF. I am using this command - sqlmap -u https://eaecb1441dab1a33c33587f1e39cd745.ctf.hacker101.com/fetch?id=1 -dbs But, SQLmap is giving me an error - UnicodeDecodeError: 'utf-8' codec can't decode byte…
Antas Sharma
  • 19
  • 8
0
votes
0 answers

SQLMAP - How to get full path disclosure?

My target has a time-based SQLi and is dba and has full root privileges. I tried to do --os-cmd / --os-shell but it cannot find the root dir to write the file stagger. I wonder if an attacker can exploit this knowing the web root directory. Sqlmap…
Rick
  • 1
  • 1
0
votes
1 answer

Add known tables names to SQLmap Time-Based session

I am analyzing a database that has 90 tables using the "Time-Based Comparison" technique. When I was listing the names of the tables, I was already at number 40 and my PC turned off without saving the progress in the session, when I started the…
Joseph
  • 335
  • 1
  • 3
  • 13
0
votes
0 answers

SQLMAP [DEBUG]SSL connection error occurred for PROTOCOL_TLSv1(SSLError:[SSL: TLSV1_ALERT_PROTOCOL_VERSION] tlsv1 alert protocol version (_ssl.c:997))

please i need help to fix this problem/issue in SQLMAP this is the script i use: python3 sqlmap.py -r hat.txt -p redirect_to -v 2 --batch -o --keep-alive --null-connection --level 5 --threads 10 --risk 3 --sql-shell --random-agent --drop-set-cookie…
pikas24
  • 1
  • 1
0
votes
0 answers

config payload usage in SQLmap

I have target after manual testing, I have found the target response to sleep time but the response after 3 multiply the number I put. for example when I put the payload: 'select (sleep (1))' the read response will be 3 when i put the…
mo.eng
  • 1
  • 1
0
votes
1 answer

Hex Entity Encoding in SQLmap

I am using SQLmap and want to hex-entity-encode the input before SQLmap sends it to the server. For example, hex-entity-encoding of "abc" should return abc I know that I should use a python tamper script which should hex-entity-encode…
Trường An Tô Nguyễn
  • 21
  • 2
0
votes
0 answers

Grab some data from request response and put it in next request in SQLmap

I want grab some data from response of request and put it in next request post data how to do that? I know that there is postprocess | preprocess features but how they work and how to edit response by these feature? I tried to work with postprocess…
user14481267
  • 3
  • 2
0
votes
0 answers

Using Sqlmap How to Login to a Web Server and Use the Session Cookies Obtained in Response for Further Operations in Servers

Similar to Postman Tool, Using Sqlmap How to Do the Following Operations: Login to a Web Server, Save the Cookies of the Login Session Use the Saved Session Cookies for Further POST Operations in Servers like creating a Object, Deleting a Object so…
Srikanth Ramakrishnan
  • 11
  • 1
  • 3
0
votes
1 answer

Unable to connect to URL with SQLMAP in Mutillidae

I am trying to use SQLMap to study a insertion vulnerability in the Mutillidae 2.8.82 application. The app is installed locally in my Kali Linux 5.17.0-kali3-amd64 running in a virtual machine. However, when I try running SQLMap I only get a few…
Guilherme Tomishiyo
  • 1
  • 3
0
votes
1 answer

[WARNING HTTP error codes detected during run: 404 (Not Found) - 1 times

sqlmap -u "http://10.129.15.49/dashboard.php\?search\=b" -- cookie="PHPSESSID=ld80r2ahkq6l2usoc3tecu2cd6" [INFO] testing connection to the target URL [21:10:33] [CRITICAL] page not found (404) it is not recommended to continue in this kind of…
Japneet
  • 1
  • 3
0
votes
2 answers

Specified file 'sql.txt' does not contain a usable HTTP request (with parameters)

Whenever I am Using - sqlmap -r sql.txt --dbms=MYSQL --dbs --batch following result get displayed. └─# sqlmap -r sql.txt --dbms=MYSQL --dbs --batch …
tonny
  • 9
  • 1
  • 2
0
votes
1 answer

Element type "foreach" must be declared - mybatis

Is using foreach attribute in mybatis/ibatis for oracle sql updates a best practice? Below is my query in the sql map.
HookUp
  • 393
  • 1
  • 6
  • 20
0
votes
1 answer

(sql injection)sqli-lab 15:ununderstandable behavior in where clause

I am learning sql injection,and I set up the sqli-lab environment(windows+php+mysql 5.5.53) in my computer. I encountered two problems when I was solving the sqli-lab 15. the source code in this question is below: @$sql="SELECT username, password…
tec_bai
  • 11
  • 1
1 2 3
8 9