🕸️ SQLMap Cheat Sheet

System Requirements for SQLMap

SQLMap runs on Python versions 2.6, 2.7, and 3.x on Windows, macOS, and Linux.

Running SQLMap

You can run SQLMap using any of these commands:

python sqlmap.py

python3 sqlmap.py

py -2 sqlmap.py

py -3 sqlmap.py

sqlmap (on Kali Linux)

Password Cracking with SQLMap

Straightforward Method

Requirements: Read permissions on the target database.

You can enumerate password hashes for each user with the --passwords option. SQLMap will first enumerate the users, then attempt to crack the password hashes.

Indirect Method

If your target database is sufficiently vulnerable, you can look for a table containing user data (e.g., users) because passwords likely reside there.

Once SQLMap discovers a column of passwords, it will prompt you for:

Permission to crack the passwords

Whether to crack them via a dictionary-based attack

If the passwords are sufficiently insecure, answering "Y" to both prompts will yield meaningful output passwords.e the correct Python versions installed using:

Installation

Download Options

Tarball: Download here

Zipball: Download here

Git Clone (recommended):

This is also the preferred method to upgrade SQLMap on Kali Linux.

For advanced users, check the Git wiki.

Basic Usage

Command Structure

Overview of SQL Injection Attacks

Attack Categories

In-band

Out-of-band

Inferential (Blind)

Compound

In-Band (Classic) SQL Injection Attacks

In-band attacks allow the attacker to launch the attack and view results through the same channel, such as via a console shell or web application.

Four Main Techniques (use `--technique` option)

Error-based injections

Error messages leak information about database configurations, structure, and data

Union-based injections

Using UNION keywords to combine legitimate query results with attack results to extract data

Stacked queries (piggybacking)

Multiple SQL statements joined by semicolons sent in the same call to manipulate the server

Inline queries

Embedding partial SQL statements on server-side backend makes it vulnerable via client-side input

Out-of-Band SQL Injection Attacks

These attacks obtain data using a different channel than the one making the request. Examples include:

Receiving email with query results

Sending results to different web server via separate HTTP connection

Inferential (Blind) SQL Injection Attacks

These attacks change database behavior to reconstruct information.

Boolean Injections

Uses Boolean expressions like tautologies. Example:

Normal route: /product/279

Attack route: /product/279' OR 1=1

Since 1=1 always evaluates to TRUE, this reveals all products regardless of restrictions.

Time Delay Injections (Time-based attacks)

These attacks leave minimal traces and depend on the database pausing for a fixed time before responding. Time delay commands differ across SQL languages.

If the database isn't vulnerable, results load quickly despite specified time delays.

Compound SQL Injection Attacks

Combination of SQL injection with other cyberattacks such as:

Unauthorized access

Distributed Denial of Service (DDoS)

DNS hijacking

Cross-site scripting (XSS)

SQLMap Options

Mandatory Arguments

At least one of the following is required:

Option	Description
`-u URL, --url=URL`	Target URL
`-l LOGFILE`	Parse target(s) from Burp or WebScarab proxy log file
`-x SITEMAPURL`	Parse target(s) from remote sitemap(.xml) file
`-m BULKFILE`	Scan multiple targets given in textual file
`-r REQUESTFILE`	Load HTTP request from file
`-g GOOGLEDORK`	Process Google dork results as target URLs
`-c CONFIGFILE`	Load options from configuration INI file

General Options

Set general working parameters:

Option	Description
`-s SESSIONFILE`	Load session from stored (.sqlite) file
`-t TRAFFICFILE`	Log all HTTP traffic into textual file
`--batch`	Never ask for user input, use default behavior
`--binary-fields=..`	Result fields having binary values
`--check-internet`	Check Internet connection before assessing target
`--cleanup`	Clean up the DBMS from sqlmap specific UDF and tables
`--crawl=CRAWLDEPTH`	Crawl the website starting from target URL
`--crawl-exclude=..`	Regexp to exclude pages from crawling
`--csv-del=CSVDEL`	Delimiting character used in CSV output
`--charset=CHARSET`	Blind SQL injection charset
`--dump-format=..`	Format of dumped data
`--encoding=ENCODING`	Character encoding used for data retrieval
`--eta`	Display for each output the estimated time of arrival
`--flush-session`	Flush session files for current target
`--forms`	Parse and test forms on target URL
`--fresh-queries`	Ignore query results stored in session file
`--har=HARFILE`	Log all HTTP traffic into HAR file
`--hex`	Use hex conversion during data retrieval
`--output-dir=OUTPUT..`	Custom output directory path
`--parse-errors`	Parse and display DBMS error messages from responses
`--save=SAVECONFIG`	Save options to configuration INI file
`--scope=SCOPE`	Regexp to filter targets from provided proxy log
`--skip-urlencode`	Skip URL encoding of payload data
`--skip-heuristics`	Skip heuristic detection of vulnerabilities
`--skip-waf`	Skip heuristic detection of WAF/IPS protection
`--table-prefix=..`	Prefix used for temporary tables
`--test-filter=..`	Select tests by payloads and/or titles
`--test-skip=..`	Skip tests by payloads and/or titles
`--web-root=WEBROOT`	Web server document root directory

Request Options

Specify how to connect to the target URL:

Option	Description
`--data=DATA`	Data string to be sent through POST
`--param-del=PARAM..`	Character used for splitting parameter values
`--cookie=COOKIE`	HTTP Cookie header value
`--cookie-del=COOKIE..`	Character used for splitting cookie values
`--load-cookies=LOAD..`	File containing cookies in Netscape/wget format
`--drop-set-cookie`	Ignore Set-Cookie header from response
`--user-agent=AGENT`	HTTP User-Agent header value
`--random-agent`	Use randomly selected HTTP User-Agent header
`--host=HOST`	HTTP Host header value
`--referer=REFERER`	HTTP Referer header value
`-H HEADER, --header=..`	Extra header (e.g. "X-Forwarded-For: 127.0.0.1")
`--headers=HEADERS`	Extra headers (e.g. "Accept-Language: fr\nETag: 123")
`--auth-type=AUTH..`	HTTP authentication type
`--auth-cred=AUTH..`	HTTP authentication credentials
`--auth-file=AUTH..`	HTTP authentication PEM cert/private key file
`--ignore-code=IGNORE..`	Ignore (problematic) HTTP error code
`--ignore-proxy`	Ignore system default proxy settings
`--ignore-redirects`	Ignore redirection attempts
`--ignore-timeouts`	Ignore connection timeouts
`--proxy=PROXY`	Use proxy to connect to target URL
`--proxy-cred=PROXY..`	Proxy authentication credentials
`--proxy-file=PROXY..`	Load proxy list from file
`--tor`	Use Tor anonymity network
`--tor-port=TORPORT`	Set Tor proxy port other than default
`--tor-type=TORTYPE`	Set Tor proxy type
`--check-tor`	Check to see if Tor is used properly
`--delay=DELAY`	Delay in seconds between each HTTP request
`--timeout=TIMEOUT`	Seconds to wait before timeout connection
`--retries=RETRIES`	Retries when connection times out
`--randomize=RPARAM`	Randomly change value for given parameter(s)
`--safe-url=SAFEURL`	URL address to visit frequently during testing
`--safe-post=SAFEPOST`	POST data to send to safe URL
`--safe-req=SAFEREQ`	Load safe HTTP request from file
`--safe-freq=SAFEFREQ`	Test requests between visits to safe URL
`--skip-urlencode`	Skip URL encoding of payload data
`--csrf-token=CSRF..`	Parameter used to hold anti-CSRF token
`--csrf-url=CSRFURL`	URL address to visit for extraction of anti-CSRF token
`--csrf-method=CSRF..`	HTTP method to use during anti-CSRF token page visit
`--force-ssl`	Force usage of SSL/HTTPS
`--chunked`	Use HTTP chunked transfer encoded (POST) requests
`--hpp`	Use HTTP parameter pollution method
`--eval=EVALCODE`	Evaluate provided Python code before request

Optimization Options

Optimize the performance of SQLMap:

Option	Description
`-o`	Turn on all optimization switches
`--predict-output`	Predict common queries output
`--keep-alive`	Use persistent HTTP(s) connections
`--null-connection`	Retrieve page length without actual HTTP response body
`--threads=THREADS`	Max number of concurrent HTTP(s) requests (default 1)

Injection Options

Specify the parameters to test against, custom injection payloads, and optional tampering scripts:

Option	Description
`-p TESTPARAMETER`	Testable parameter(s)
`--skip=SKIP`	Skip testing for given parameter(s)
`--skip-static`	Skip testing parameters that don't appear dynamic
`--param-exclude=..`	Regexp to exclude parameters from testing
`--param-filter=..`	Select testable parameter(s) by place
`--dbms=DBMS`	Force back-end DBMS to provided value
`--dbms-cred=DBMS..`	DBMS authentication credentials
`--os=OS`	Force back-end DBMS operating system
`--invalid-bignum`	Use big numbers for invalidating values
`--invalid-logical`	Use logical operations for invalidating values
`--invalid-string`	Use random strings for invalidating values
`--no-cast`	Turn off payload casting mechanism
`--no-escape`	Turn off string escaping mechanism
`--prefix=PREFIX`	Injection payload prefix string
`--suffix=SUFFIX`	Injection payload suffix string
`--tamper=TAMPER`	Use given script(s) for tampering injection data

Detection Options

Customize the detection phase of the SQL attack scan:

Option	Description
`--level=LEVEL`	Level of tests to perform (1-5, default 1)
`--risk=RISK`	Risk of tests to perform (1-3, default 1)
`--string=STRING`	String to match when query is evaluated to True
`--not-string=NOT..`	String to match when query is evaluated to False
`--regexp=REGEXP`	Regexp to match when query is evaluated to True
`--code=CODE`	HTTP code to match when query is evaluated to True
`--smart`	Conduct thorough tests only if positive heuristic(s)
`--text-only`	Compare pages based only on textual content
`--titles`	Compare pages based only on their titles

Techniques Options

Tweak testing of specific SQL injection techniques:

Option	Description
`--technique=TECH`	SQL injection techniques to use (default "BEUSTQ")
`--time-sec=TIMESEC`	Seconds to delay DBMS response (default 5)
`--union-cols=UCOLS`	Range of columns to test for UNION query SQL injection
`--union-char=UCHAR`	Character to use for bruteforcing number of columns
`--union-from=UFROM`	Table to use in FROM part of UNION query SQL injection
`--dns-domain=DNS..`	Domain name used for DNS exfiltration attack
`--second-url=SECOND..`	Resulting page URL searched for second-order response
`--second-req=SECOND..`	Load second-order HTTP request from file

Fingerprint Options

Assess a database before attacking it:

Option	Description
`-f, --fingerprint`	Perform an extensive DBMS version fingerprint

Running a SQL Injection Attack Scan with SQLMap

Three Basic Steps

Conduct reconnaissance on a database using mandatory target arguments and fingerprinting

Discover potential vulnerabilities by enumerating the database contents

Run tests of different SQL injection attacks to determine the extent of vulnerabilities. Repeat steps 2-3 as needed.

Getting Database Information

List Databases and Tables

Use enumeration options to scan SQL databases:

--dbs - Get a list of databases

--tables - Get tables and their schema

--schema - Get database schema

--columns - Get column information

Example: Basic Database Enumeration

Exploit a vulnerability in the id parameter using cookie session to return database tables:

Example: Column Enumeration

Narrow down the exploit to the users table columns:

Enumeration Options

These options enumerate configuration information, structure and data contained in the target database:

Option	Description
`-a, --all`	Retrieve everything
`-b, --banner`	Retrieve DBMS banner
`--current-user`	Retrieve DBMS current user
`--current-db`	Retrieve DBMS current database
`--hostname`	Retrieve DBMS server hostname
`--is-dba`	Detect if current user is DBA
`--users`	Enumerate DBMS users
`--passwords`	Enumerate DBMS users password hashes
`--privileges`	Enumerate DBMS users privileges
`--roles`	Enumerate DBMS users roles
`--dbs`	Enumerate DBMS databases
`--tables`	Enumerate DBMS database tables
`--columns`	Enumerate DBMS database table columns
`--schema`	Enumerate DBMS schema
`--count`	Retrieve number of entries for table(s)
`--dump`	Dump DBMS database table entries
`--dump-all`	Dump all DBMS databases tables entries
`--search`	Search column(s), table(s) and/or database name(s)
`--comments`	Check for DBMS comments during enumeration
`--statements`	Retrieve SQL statements being run on DBMS
`-D DB`	DBMS database to enumerate
`-T TBL`	DBMS database table(s) to enumerate
`-C COL`	DBMS database table column(s) to enumerate
`-X EXCLUDE`	DBMS database identifier(s) to not enumerate
`-U USER`	DBMS user to enumerate
`--exclude-sysdbs`	Exclude DBMS system databases when enumerating tables
`--pivot-column=P..`	Pivot column name
`--where=DUMPWHERE`	Use WHERE condition while table dumping
`--start=LIMITSTART`	First dump table entry to retrieve
`--stop=LIMITSTOP`	Last dump table entry to retrieve
`--first=FIRSTCHAR`	First query output word character to retrieve
`--last=LASTCHAR`	Last query output word character to retrieve
`--sql-query=QUERY`	SQL statement to be executed
`--sql-shell`	Prompt for an interactive SQL shell
`--sql-file=SQLFILE`	Execute SQL statements from given file(s)

Brute Force Options

Guess whether the database contains common names for tables, columns, and files:

Option	Description
`--common-tables`	Check existence of common tables
`--common-columns`	Check existence of common columns
`--common-files`	Check existence of common files

Password Cracking with Sqlmap
Straightforward Method
This requires read permissions on the target database. In
this case, you could enumerate the password hashes for each user with
the --passwordsoption. sqlmap will first enumerate the users, then
attempt to crack the password hashes.

Indirect Method

If your target database is sufficiently vulnerable, you can look for a
table containing user data (e.g., users) because passwords likely
reside there.
Once sqlmap discovers a column of passwords, it will prompt you for
permission to crack the passwords, followed by a prompt on whether or
not to crack them via a dictionary-based attack. If the passwords are
sufficiently insecure, a “Y” to both prompts will yield meaningful
output passwords.

SQLMap Source Code Structure

View the source code of SQLMap on GitHub.

Important SQLMap Directories

You can customize your SQLMap experience by adding or editing files in these directories:

Directory	Description
`/data/`	Contains wordlists, XML files, and other data files
`/extra/`	Contains extra tools and utilities
`/lib/`	Contains the core library files
`/plugins/`	Contains DBMS-specific plugins
`/tamper/`	Contains tamper scripts for bypassing filters
`/txt/`	Contains text files with common names, etc.
`/xml/`	Contains XML files with payloads and detection rules

Test Levels and Risk Settings

Test Levels

Check your database against particular SQL injection attacks by setting test --level values to dictate the volume of tests to perform:

Level	Description
`--level=1`	Limited number of tests (default)
`--level=2`	More tests including cookie testing
`--level=3`	Tests include User-Agent and Referer headers
`--level=4`	Tests include additional HTTP headers
`--level=5`	Maximum number of tests

Risk Levels

SQLMap SQL injection payloads are usually harmless, but if you want to test your database thoroughly, --risk is the option to use:

Risk	Description
`--risk=1`	Default risk level
`--risk=2`	Adds heavy time-based SQL queries
`--risk=3`	Adds OR-based SQL injection queries

Verbosity Levels

These integer levels (0-6) are for troubleshooting and to see what SQLMap is doing under the hood:

Level	Description
`-v 0`	Show only Python tracebacks, error and critical messages
`-v 1`	Show also warning and info messages (default)
`-v 2`	Show also debug messages
`-v 3`	Show also payloads injected
`-v 4`	Show also HTTP requests
`-v 5`	Show also HTTP responses headers
`-v 6`	Show also HTTP responses page content

Tamper Scripts

Tamper scripts are for bypassing security controls, such as Web Application Firewalls (WAFs) and Intrusion Prevention Systems. There are at least 60 scripts by default, but you can add custom ones.

Useful Tamper Script Commands

Script	Description
`--tamper=apostrophemask`	Replaces apostrophe character with its UTF-8 full width counterpart
`--tamper=base64encode`	Base64 encodes all characters in payload
`--tamper=between`	Replaces greater than operator (>) with 'NOT BETWEEN 0 AND #'
`--tamper=charencode`	URL-encodes all characters in payload
`--tamper=charunicodeencode`	Unicode-URL-encodes all characters in payload

Default Tamper Script Categories

Character encoding - Encode characters to bypass filters

Case modification - Change case of keywords

Comment insertion - Insert SQL comments to break parsing

Keyword replacement - Replace blocked keywords with alternatives

This SQLMap cheat sheet provides comprehensive coverage of the most important options and techniques for SQL injection testing. For the most up-to-date information, always refer to the Official SQLMap Documentation.

🕸️ SQLMap Cheat Sheet

System Requirements for SQLMap#

Running SQLMap#

Password Cracking with SQLMap#

Straightforward Method#

Indirect Method#

Installation#

Download Options#

Basic Usage#

Command Structure#

Overview of SQL Injection Attacks#

Attack Categories#

In-Band (Classic) SQL Injection Attacks#

Four Main Techniques (use --technique option)#

Out-of-Band SQL Injection Attacks#

Inferential (Blind) SQL Injection Attacks#

Boolean Injections#

Time Delay Injections (Time-based attacks)#

Compound SQL Injection Attacks#

SQLMap Options#

Mandatory Arguments#

General Options#

Request Options#

Optimization Options#

Injection Options#

Detection Options#

Techniques Options#

Fingerprint Options#

Running a SQL Injection Attack Scan with SQLMap#

Three Basic Steps#

Getting Database Information#

List Databases and Tables#

Example: Basic Database Enumeration#

Example: Column Enumeration#

Enumeration Options#

Brute Force Options#

Indirect Method#

SQLMap Source Code Structure#

Important SQLMap Directories#

Test Levels and Risk Settings#

Test Levels#

Risk Levels#

Verbosity Levels#

Tamper Scripts#

Useful Tamper Script Commands#

Default Tamper Script Categories#

System Requirements for SQLMap

Running SQLMap

Password Cracking with SQLMap

Straightforward Method

Indirect Method

Installation

Download Options

Basic Usage

Command Structure

Overview of SQL Injection Attacks

Attack Categories

In-Band (Classic) SQL Injection Attacks

Four Main Techniques (use `--technique` option)

Out-of-Band SQL Injection Attacks

Inferential (Blind) SQL Injection Attacks

Boolean Injections

Time Delay Injections (Time-based attacks)

Compound SQL Injection Attacks

SQLMap Options

Mandatory Arguments

General Options

Request Options

Optimization Options

Injection Options

Detection Options

Techniques Options

Fingerprint Options

Running a SQL Injection Attack Scan with SQLMap

Three Basic Steps

Getting Database Information

List Databases and Tables

Example: Basic Database Enumeration

Example: Column Enumeration

Enumeration Options

Brute Force Options

Indirect Method

SQLMap Source Code Structure

Important SQLMap Directories

Test Levels and Risk Settings

Test Levels

Risk Levels

Verbosity Levels

Tamper Scripts

Useful Tamper Script Commands

Default Tamper Script Categories