Web Hacking Tips
  • Web App Hacking Tips & Tricks
  • Weekly Tips
    • Week 1 - XSS Filter Evasion
    • Week 2 - CSRF Token Bypass
    • Week 3 - CORS Exploitation
    • Week 4 - Finding XSS
    • Week 5 - CSRF Explanation
    • Week 6 - XSS Types
    • Week 7 - Advanced SQLMap
    • Week 8 - Stealing HttpOnly Cookies from PHPINFO
    • Week 9 - SQLMap Tamper Scripts
    • Week 10 - XSS Obfuscated Payloads
    • Week 11 - XS-Search: Cross-Origin Enumeration
    • Week 12 - Subdomain Takeovers
    • Week 13 - XSS Keylogger
    • Week 14 - Algolia API Keys
    • Week 15 - GraphQL Introspection
    • Week 16 - Naming BurpSuite Repeater Tabs
    • Week 17 - GoBuster Tips
    • Week 18 - Burp Request to Python Script
    • Week 19 - Customizing Nikto Scans
    • Week 20 - Google Phishing Page
    • Week 21 - Google BITB
    • Week 22 - XSS Through SVG File
    • Week 23 - FoxyProxy Extension
    • Week 24 - CSP Bypasses
    • Week 25 - Pilfering LocalStorage with XSS
    • Week 26 - Cloud SSRF
    • Week 27 - Blind XSS
    • Week 28 - Firebase Misconfigurations
    • Week 29 - XSS to CSRF
  • Week 30 - SQLMap Debugging
  • Week 31 - WayBack Machine
  • Week 32 - O365 BITB
  • Week 33 - Burp Intruder Attacks
  • Week 34 - GraphQL Bruteforcing
  • Week 35 - User Accounts
  • Week 36 - CVE Submission
  • Week 37 - Second Order SQLi
  • Week 38 - Out of Band SQLi
  • Week 39 - Broken Link Hijacking
  • Week 40 - JWT Testing
  • Week 41 - BURP ATOR
  • Week 42 - ProxyChains
  • Week 43 - CSS Keylogging
  • Week 44 - SVG SSRF
  • Week 45 - Request Smuggling
  • Week 46 - XSS Payloads
  • Week 47 - DNS Re-binding
  • Week 48 - SSRF Bypass
  • Week 49 - File Upload Bypass
  • Week 50 - CRLF Injection
  • Week 51 - HTML to PDF
  • Week 52 - Parameter Pollution
  • Week 53 - Pre-Account Takeover
  • Week 54 - Race Conditions
  • Week 55 - SQLi to RCE
  • Week 56 - Cloud SSRF PrivEsc
  • Week 57 - Response Queue Poisoning
  • Week 58 - Directory Traversal
  • Week 59 - File Upload -> CSRF
  • Week 60 - Modern CSRF Attacks
Powered by GitBook
  1. Weekly Tips

Week 7 - Advanced SQLMap

PreviousWeek 6 - XSS TypesNextWeek 8 - Stealing HttpOnly Cookies from PHPINFO

Last updated 2 years ago

Custom SQLMap Payloads

It’s Week 7 of our Web App Hacking Tips & Tricks Series! Today we’ll be covering one of my favorite topics, Advanced SQL Injection. Have you ever been testing an application that appears vulnerable to SQL Injection, but you were unable to automate using SQLMap? This has happened to me in the past and is a major pain-in-the-butt. I used to add a “tamper=space2comment” and hope for the best! Nowadays I have a much better approach. To start off, I always recommend manually finding a working Proof-of-Concept (POC) with Burp Suite (if you want a future post on manual SQL Injection tips, let me know in the comments). From here, you can add your own custom payload into SQLMap. The folder containing all the payload files can be found here: /usr/share/sqlmap/data/xml/payloads/ First, add the payload in the attached photo below to your ‘boolean_blind.xml’ payload file. Since SQLMap can be finnicky, I’ve found that simplifying the custom payload to only its inference is the most reliable method. Then, use the flags ‘prefix’ and ‘suffix’ to construct the rest of the Proof-of-Concept query you’ve found earlier. For example, if your working POC looks like: test.php?id=1']+OR+[1=1]);/* Then to exploit with your custom payload, your SQLMap command would be: sqlmap -u "<target-url>" --dbs --prefix="']+OR+[" --suffix="]);/*" If all goes well, you should have successfully automated SQL Injection using your custom payload!

If you find you’re still having trouble or are dealing with connection errors, just proxy through Burp Suite using the ‘proxy’ flag. I’ve found this alone solves a good deal of connection errors. Try the ‘force-ssl’ flag too.

Page cover image