7

I would like to know the command of SQLMap, which permits me to retreive just tables that begin with a special letter. Example with letter "T":

sqlmap.py -u www.website -D database -T tables (...)
Gilles 'SO- stop being evil'
  • 50,912
  • 13
  • 120
  • 179
Bastian Nuremberg
  • 71
  • 1
  • 1
  • 3
  • 1
    You can retrieve a list of all tables, and then manually request those tables starting with T, but as far as I'm aware, SQLMap doesn't have specific functions for retrieving a subset of tables. It would be a bit too specialist for a command line program which can utilise shell scripts or Perl. [The usage page](https://github.com/sqlmapproject/sqlmap/wiki/Usage) lists all options for SQLMap – Matthew Nov 04 '15 at 13:37

3 Answers3

5

I believe you have 2 options in this case:

  1. You can use sqlmap inside of a shell script to list the tables, and save those results to iterate over with successive calls to sqlmap.

  2. You can use sqlmap to run a designated SQL query with the --sql-query option.

I don't think the tool is capable of running as you desire, like this:

sqlmap.py -u www.website -D database -T "t*"
galoget
  • 1,414
  • 1
  • 9
  • 15
J Kimball
  • 2,137
  • 1
  • 13
  • 19
  • To dump all tables of a certain letter, sqlmap has to return all results anyway then filter. So, I agree that it makes just as much sense to return all tables and let the user filter as a separate function. – schroeder Sep 23 '22 at 14:54
3

SQLMap does not support this natively. But you can build your own query that retrieves exactly what you need. You need to see --sql-shell parameter. It will pop-up shell commands. Every single query you type on that shell will be executed through sql injection attack!

You can use the following query. It retrieves table names that starts with "w":

SELECT table_name FROM information_schema.tables WHERE table_schema=database() and table_name LIKE 'w%';

Actually the above query is almost the same as native SQLMap payloads. For example SQLMap uses the following payload for Blind SQL Injections.

' AND SUBSTRING('SELECT version()', 1,1)

In this payload SQLMap try to retrieve results of SELECT version(); query which is predefined inside SQLMap XML file. We are updating this query with --sql-shell command. Every single "normal" database query you pass to the terminal is going to be replaced with SELECT version(); .

' AND SUBSTRING('SELECT table_name FROM information_schema.tables WHERE table_schema=database() and table_name LIKE 'w%';', 1,1)

The rest of the SQL Injection mechanism will be okay as long as your custom query is correct.

galoget
  • 1,414
  • 1
  • 9
  • 15
Mehmet Ince
  • 258
  • 1
  • 9
  • Did you mean --sql-query instead of --sql-shell? – J Kimball Nov 04 '15 at 13:45
  • @JKimball I think --sql-query is for one time query execution. --sql-shell is kind of terminal shell but it does some thing with --sql-query behind the science. Official documentation says: --sql-query=QUERY SQL statement to be executed, --sql-shell Prompt for an interactive SQL shell – Mehmet Ince Nov 04 '15 at 13:47
2
$ python sqlmap.py -u "http://192.168.136.131/sqlmap/firebird/get_int.php?id=1"\
 --dump -T users
[...]
Database: Firebird_masterdb
Table: USERS
[4 entries]
+----+--------+------------+
| ID | NAME   | SURNAME    |
+----+--------+------------+
| 1  | luther | blisset    |
| 2  | fluffy | bunny      |
| 3  | wu     | ming       |
| 4  | NULL   | nameisnull |
+----+--------+------------+
jianan huang
  • 29
  • 2
  • 1
    This answer does not actually do what the initial question asks...They asked to get a list of all tables beginning with a specific character. The answer 2 below this one actually achieves that end. – Mike Bell Jan 09 '22 at 08:47
  • This dumps a particular table. It doesn't dump all tables, or even tables that begin with a certain letter. – schroeder Sep 23 '22 at 14:52