Skip to content

Commit b720c6c

Browse files
carlospolopcarlospolop
authored
Merge pull request #1931 from HackTricks-wiki/research_update_src_pentesting-web_sql-injection_sqlmap_20260221_130048
Research Update Enhanced src/pentesting-web/sql-injection/sq...
2 parents 1da9db2 + 8dbfbf7 commit b720c6c

1 file changed

Lines changed: 16 additions & 7 deletions

File tree

src/pentesting-web/sql-injection/sqlmap.md

Lines changed: 16 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -169,7 +169,7 @@ sqlmap -r r.txt -p id --not-string ridiculous --batch
169169
| apostrophenullencode.py | Replaces apostrophe character with its illegal double unicode counterpart |
170170
| appendnullbyte.py | Appends encoded NULL byte character at the end of payload |
171171
| base64encode.py | Base64 all characters in a given payload |
172-
| between.py | Replaces greater than operator \('>'\) with 'NOT BETWEEN 0 AND \#' |
172+
| between.py | Replaces greater than operator \('>'\) with 'NOT BETWEEN 0 AND \#' |
173173
| bluecoat.py | Replaces space character after SQL statement with a valid random blank character.Afterwards replace character = with LIKE operator |
174174
| chardoubleencode.py | Double url-encodes all characters in a given payload \(not processing already encoded\) |
175175
| commalesslimit.py | Replaces instances like 'LIMIT M, N' with 'LIMIT N OFFSET M' |
@@ -180,7 +180,7 @@ sqlmap -r r.txt -p id --not-string ridiculous --batch
180180
| charunicodeescape.py | Unicode-url-encodes non-encoded characters in a given payload \(not processing already encoded\). "\u0022" |
181181
| equaltolike.py | Replaces all occurances of operator equal \('='\) with operator 'LIKE' |
182182
| escapequotes.py | Slash escape quotes \(' and "\) |
183-
| greatest.py | Replaces greater than operator \('>'\) with 'GREATEST' counterpart |
183+
| greatest.py | Replaces greater than operator \('>'\) with 'GREATEST' counterpart |
184184
| halfversionedmorekeywords.py | Adds versioned MySQL comment before each keyword |
185185
| ifnull2ifisnull.py | Replaces instances like 'IFNULL\(A, B\)' with 'IF\(ISNULL\(A\), B, A\)' |
186186
| modsecurityversioned.py | Embraces complete query with versioned comment |
@@ -203,19 +203,28 @@ sqlmap -r r.txt -p id --not-string ridiculous --batch
203203
| space2mysqldash.py | Replaces space character \(' '\) with a dash comment \('--'\) followed by a new line \('\n'\) |
204204
| space2plus.py | Replaces space character \(' '\) with plus \('+'\) |
205205
| space2randomblank.py | Replaces space character \(' '\) with a random blank character from a valid set of alternate characters |
206-
| symboliclogical.py | Replaces AND and OR logical operators with their symbolic counterparts \(&& and |
206+
| symboliclogical.py | Replaces AND and OR logical operators with their symbolic counterparts \(&& and \|\|\) |
207207
| unionalltounion.py | Replaces UNION ALL SELECT with UNION SELECT |
208-
| unmagicquotes.py | Replaces quote character \('\) with a multi-byte combo %bf%27 together with generic comment at the end \(to make it work\) |
208+
| unmagicquotes.py | Replaces quote character \(') with a multi-byte combo %bf%27 together with generic comment at the end \(to make it work\) |
209209
| uppercase.py | Replaces each keyword character with upper case value 'INSERT' |
210210
| varnish.py | Append a HTTP header 'X-originating-IP' |
211211
| versionedkeywords.py | Encloses each non-function keyword with versioned MySQL comment |
212212
| versionedmorekeywords.py | Encloses each keyword with versioned MySQL comment |
213213
| xforwardedfor.py | Append a fake HTTP header 'X-Forwarded-For' |
214+
| luanginxmore.py | POST-only tamper that prepends millions of dummy parameters to exhaust Lua‑Nginx WAF parsers (e.g., Cloudflare). |
214215

215-
## References
216-
- [SQLMap: Testing SQL Database Vulnerabilities](https://blog.bughunt.com.br/sqlmap-vulnerabilidades-banco-de-dados/)
216+
`luanginxmore` generates ~4.2M random POST parameters before your payload; use it only with `--method=POST` and expect large request sizes to crash poorly configured Lua-Nginx WAFs.
217217

218-
{{#include ../../banners/hacktricks-training.md}}
218+
## Recent switches worth enabling (>=1.9.x)
219219

220+
* **HTTP/2 transport**: `--http2` forces sqlmap to speak HTTP/2 (helpful against front-ends that rate-limit HTTP/1.1 but relax h2). Combine with `--force-ssl` to pin HTTPS.
221+
* **Proxy rotation**: `--proxy-file proxies.txt --proxy-freq 3` will rotate through a list, changing proxy every 3 requests to avoid IP-based throttling.
222+
* **Offline / purge modes**: `--offline` reuses cached session data without touching the target (zero network traffic), while `--purge` securely wipes the session/output directory when you’re done.
223+
* **Mobile UA emulation**: `--mobile` prompts you to spoof a popular smartphone User-Agent, useful on APIs that expose additional fields to mobile clients.
220224

225+
## References
226+
- [SQLMap Usage Wiki](https://github.com/sqlmapproject/sqlmap/wiki/usage)
227+
- [SQLMap Command Builder (flags summary incl. HTTP/2)](https://vizzdoom.github.io/sqlmap-command-builder/)
228+
- [luanginxmore tamper (sqlmap GitHub)](https://raw.githubusercontent.com/sqlmapproject/sqlmap/master/tamper/luanginxmore.py)
221229

230+
{{#include ../../banners/hacktricks-training.md}}

0 commit comments

Comments
 (0)