Stack Overflow
Stack Overflow

Questions tagged [sqlmap]

sqlmap is an "Automatic SQL injection and database takeover tool". It can be used to detect flaws in any software with an underlying SQL database

sqlmap is an open source penetration testing tool that automates the process of detecting and exploiting SQL injection flaws and taking over of database servers. It comes with a powerful detection engine, many niche features for the ultimate penetration tester and a broad range of switches lasting from database fingerprinting, over data fetching from the database, to accessing the underlying file system and executing commands on the operating system via out-of-band connections

115 questions
8
votes
5 answers

Specify parameters with SQLMAP

I'm a student learning php & mysql development. i have setup a private lab ( VM ) inside my computer to test & learn how sql injection works. When things get harder i use sqlmap to exploit and later on study the requests it made to my test app using…
DriverBoy
  • 2,647
  • 3
  • 16
  • 21
6
votes
2 answers

Sqlmap traffic capture

I am trying to understand how SQLmap works. For example, sqlmap finds injection on my site - Place: GET Parameter: selected Type: UNION query Title: MySQL UNION query (NULL) - 5 columns Payload: act=il&ed=1' LIMIT 1,1 UNION ALL SELECT…
Dmitrij Holkin
  • 2,810
  • 3
  • 32
  • 72
5
votes
2 answers

SQLMAP - Post JSON data as body

Hi I'm trying to do a SQL injection in a login form. With BurpSuite I intercept the request: POST /xxxx/web/Login HTTP/1.1 Host: 10.0.0.70:42020 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:49.0) Gecko/20100101 Firefox/49.0 Accept:…
ronIDX
  • 678
  • 1
  • 4
  • 18
5
votes
1 answer

Setting particular type of attack with Sqlmap

Instead of testing all the possible attacks using sqlmap, is there any way to test a vulnerable server using a particular type of attack only? For example, I only want to attack a webserver with PostgreSQL stacked conditional-error blind queries. Is…
user4895437
  • 51
  • 1
  • 3
5
votes
3 answers

Sqlmap dont work over TOR Vidalia in WindowsXP

D:\Python27>python sqlmap\sqlmap.py -u www.mail.ru --tor sqlmap/1.0-dev - automatic SQL injection and database takeover tool http://sqlmap.org [!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is…
Dmitrij Holkin
  • 2,810
  • 3
  • 32
  • 72
4
votes
1 answer

How do i add a user name and a password to sqlmap?

I was running a SQLInjection with sqlmap. My page has an error of sql but the error shows up once you logged in your account(Example: page.com/login.php and when you log you go to page.com/index.php?id=1 and here the sql error is evident). When i…
jdcaba
  • 73
  • 1
  • 2
  • 9
4
votes
1 answer

What's the difference between data source type pooled and unpooled?

I configuring mybatis and I must to choose a data source type POOLED or UNPOOLED. In that case what's the difference between data source type pooled and unpooled?
Emre Sevinç
  • 43
  • 5
4
votes
4 answers

sqlmap is too slow

Here's an example. Just trying to list the databases: python sqlmap.py -u "http://somesite.com/?id=1" --dbs [15:20:32] [INFO] fetching database names [15:20:32] [INFO] fetching number of databases [15:20:32] [WARNING] time-based comparison needs…
Farzher
  • 11,368
  • 15
  • 57
  • 93
3
votes
2 answers

Sqlmap, using technique

In sqlmap I want to use time-based blind sqli technique. --technique= comes with a default of BEUSTQ which letter should use for time based blind only?
user8377060
3
votes
0 answers

mybatis typeHandler not work

I have a sql like this and resultMap like this
byron
  • 41
  • 3
3
votes
1 answer

SQLMAP - how to insert into a database if stacked queries are not possible on a MYSQL server?

Pulling database tables and columns works fine using SQLMAP, but as I try to execute an INSERT statement I get the following error: query: sqlmap -u "http://www.example.com/details.php?item_id=327" -D main_db -T orders --columns --sql-query \…
Edmond Tamas
  • 2,679
  • 7
  • 35
  • 69
3
votes
0 answers

SQLMap and SSL error

python sqlmap.py -u "https://bake-house.com/" --random-agent -v 3 [15:38:18] [DEBUG] cleaning up configuration parameters [15:38:18] [DEBUG] checking for WebSocket [15:38:18] [DEBUG] setting the HTTP timeout [15:38:18] [DEBUG] loading random…
modoyupiwa
  • 31
  • 1
  • 2
3
votes
4 answers

SQLMAP to test sql injection

I ran SQLMAP to test SQL injection for one of the site, and got the below information. sqlmap identified the following injection points with a total of 78 HTTP(s) requests: --- Place: GET Parameter: id Type: boolean-based blind Title: AND…
Akon
  • 272
  • 1
  • 6
  • 19
2
votes
1 answer

How do I dump columns without datatype in SQLmap?

I would like to what's the command to dump only columns names, not data type. And also is it possible we can search in data? Like fetch the column data having @gmail.com or word 'admin.
Touseef
  • 21
  • 2
2
votes
2 answers

Use date in MapSqlParameterSource in java Spring

I want to fetch result between start_date to end_date so that i can find my product report. sql = new StringBuilder() .append(" select oi.last_modified,oi.product_key") .append(" from orders o join…
Rohit Jain
  • 107
  • 3
  • 9
1
2 3 4 5 6 7 8