Operator On The Wire
Join
← Back to Knowledge Base
RED TEAM / SQL / SQLMAP / HTTP

Techniques


# Increase depth (more payloads) 
sqlmap -u "http://t/?id=1" --level=5 --risk=3 --batch  

# Restrict techniques (default: BEUSTQ) 
sqlmap -u "http://t/?id=1" --technique=BEU --batch  

# Time-based only (blind) 
sqlmap -u "http://t/?id=1" --technique=T --time-sec=5 --batch

Techniques

In some special cases, we have to narrow down the used payloads only to a certain type. For example, if the time-based blind payloads are causing trouble in the form of response timeouts, or if we want to force the usage of a specific SQLi payload type, the option --technique can specify the SQLi technique to be used.

For example, if we want to skip the time-based blind and stacking SQLi payloads and only test for the boolean-based blind, error-based, and UNION-query payloads, we can specify these techniques with --technique=BEU.

UNION SQLi Tuning

In some cases, UNION SQLi payloads require extra user-provided information to work. If we can manually find the exact number of columns of the vulnerable SQL query, we can provide this number to SQLMap with the option --union-cols (e.g. --union-cols=17). In case that the default "dummy" filling values used by SQLMap -NULL and random integer- are not compatible with values from results of the vulnerable SQL query, we can specify an alternative value instead (e.g. --union-char='a').

Furthermore, in case there is a requirement to use an appendix at the end of a UNION query in the form of the FROM <table> (e.g., in case of Oracle), we can set it with the option --union-from (e.g. --union-from=users).
Failing to use the proper FROM appendix automatically could be due to the inability to detect the DBMS name before its usage.

Display Errors

The first step is usually to switch the --parse-errors, to parse the DBMS errors (if any) and displays them as part of the program run

Verbose Output

Another useful flag is the -v option, which raises the verbosity level of the console output:

Gotchas

  • Dynamic CSRF/nonce sometimes needs macros in Burp; if sqlmap can’t keep up, replay through Burp and use -r with stable tokens.

  • For JSON, set Content-Type: application/json and keep quotes; sqlmap can inject inside strings or numbers.

  • If nothing triggers, try --level 5 --risk 3 and --technique=T (time-based) with a larger --time-sec.

  • Always remember if there IS an injection but NO output - very possible a WAF is interfering..