Sqli (Advanced Usage of Sqlmap)

Hi there!,

This is the third topic in this series. You can have a look at other topics also for getting a better idea about the series and the pattern.

Third Topic - SQL Injection

I had already completed the portswigger labs and looked into many challenges of Audi Labs.
So this time, I decided to dig a little deeper into the Sqlmap tool about its working. Before this, I just knew some the basic usage of Sqlmap.

Labs

• https://portswigger.net/web-security/sql-injection
  (PortSwigger Labs)

• https://github.com/Audi-1/sqli-labs
  (Audi Sqli Labs)

• https://github.com/skyblueee/sqli-labs-php7
  (Audi Sqli Labs with PHP version >=7 compatibility)

Advanced Sqlmap Usage

• https://github.com/sqlmapproject/sqlmap/wiki/Usage
  (Options available in Sqlmap)

• https://thegreycorner.com/2017/01/05/exploiting-difficult-sql-injection.html
  (Nicely explained advanced Usage of Sqli)

• https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/sqlmap-tricks-for-advanced-sql-injection/
  (How to create your own payload)

• https://cobalt.io/blog/a-pentesters-guide-to-sql-injection-sqli
  (Cheat Sheet on different types of techniques)

• http://www.securityidiots.com/Web-Pentest/SQL-Injection/XPATH-Error-Based-Injection-Extractvalue.html
  (Explanation on extractvalue function mostly used in Error based payload)

• https://pentest.blog/exploiting-second-order-sqli-flaws-by-using-burp-custom-sqlmap-tamper/
  (Ref on detecting second order)

Parameters that I commonly use

-u URL, --url=URL   Target URL (e.g. "http://www.site.com/vuln.php?id=1")
-r REQUESTFILE      Load HTTP request from a file
-p TESTPARAMETER    Testable parameter(s)
-v VERBOSE          Verbosity level: 0-6 (default 1)
--proxy=PROXY       Use a proxy to connect to the target URL
--headers=HEADERS   Extra headers (e.g. "Accept-Language: fr\nETag: 123")
--technique=TECH..  SQL injection techniques to use (default "BEUSTQ")
--flush-session     Flush session files for current target
--skip-waf          Skip heuristic detection of WAF/IPS protection
--skip-heuristics   Skip heuristic detection of SQLi/XSS vulnerabilities
--level=LEVEL       Level of tests to perform (1-5, default 1)
--risk=RISK         Risk of tests to perform (1-3, default 1)
--dbms=DBMS         Force back-end DBMS to provided value
--tamper=TAMPER     Use given script(s) for tampering injection data
--prefix=PREFIX     Injection payload prefix string
--suffix=SUFFIX     Injection payload suffix string
--second-url=SEC..  Resulting page URL searched for second-order response

Feel free to drop any suggestions via my social handles.
Thanks for reading!!!.