I'm using sqlmap on a test site and I wanted to modify some of the data inside of a table. Using the switch --sql-query.
What is the correct syntax?
example: is it --sql-query="My_query_here"?
or maybe it's --sql-query='myqueryhere'?
How would I be able to modify multiple rows of data?
example: Say I wanted to replace all data with the words. Game Over
Is it possible to drop in a shell?
Most databases do not allow you to just insert data using SQL Injection (Unless of course you are already in an insert query and even then you usually can't control the table name). You can't simply stack queries, that is only allowed in Microsoft SQL Server, PostgreSQL and comic books (like xkcd). You can use a sub-select or union select to access data from another table, and SQLMap is doing this behind the scenes.
SQLMap's real strength is in data exfiltration, and it has some tricks to get RCE. But, If you want something more complex, like a multi-staged attack that gives you a shell, then you need to write a multi-staged SQLi exploit like this one, which I wrote. If you want a deeper understanding of security then you need to write exploits to have that experience, take off the training wheels and be man (or woman or whatever).
you can take a shell by --sql-shell option. For example in Kali:
sqlmap -u TARGET -D DBNAME --sql-shell
However,
some web application technologies do not support stacked queries on specic database management systems. For instance, PHP does not support stacked queries when the back-end DBMS is MySQL, but it does support when the back-end DBMS is PostgreSQL.
from sqlmap readme
