Terminal Docs 💫
Terminal DocsTerminal Docs
DocumentationLinuxWindowsNetworksPentesting NetworksPentesting LinuxPentesting WindowsPentesting Web
Cheatsheets

SQLMAP CheatSheet

CheatSheet

SQLMap is a powerful tool used for detecting and exploiting SQL injection vulnerabilities in web applications. Cheat sheet covering various SQLMap commands, options, and examples

Table of Contents

Basic Command Structure:

sqlmap [options]

Options:

  • -u <URL>, --url=<URL>: Target URL (e.g., http://example.com/page.php?id=1).
  • -r <RequestFile>, --file=<RequestFile>: Load HTTP request from a file.
  • -p <Parameter>, --param=<Parameter>: Inject into parameter (e.g., id).
  • --data=<Data>: POST data to send.
  • --cookie=<Cookie>: HTTP cookie header value.
  • --user-agent=<Agent>: HTTP user agent header value.
  • --referer=<Referer>: HTTP referer header value.
  • --headers=<Headers>: Extra headers (e.g., "Header1: Value1\nHeader2: Value2").
  • --proxy=<Proxy>: Use a proxy (e.g., "http://127.0.0.1:8080").
  • --random-agent: Use a random HTTP user agent.
  • --level=<Level>: Level of tests to perform (1-5, default: 1).
  • --risk=<Risk>: Risk of tests to perform (1-3, default: 1).
  • --batch: Run in batch mode (no user interaction).
  • --flush-session: Flush session files for current target.
  • --technique=<Technique>: SQL injection technique(s) to use (e.g., "U, T").
  • --string=<String>: String to match when querying the database.
  • --time-sec=<Seconds>: Seconds to wait before timeout (default: 5).

Detection and Enumeration:

  • --dbs: Enumerate databases.
  • --tables: Enumerate tables in the selected database.
  • --columns: Enumerate columns in the specified table.
  • --count: Retrieve the number of entries for a given parameter.
  • --users: Enumerate DBMS users.

Data Extraction:

  • -D <Database>, --database=<Database>: Database to enumerate.
  • -T <Table>, --table=<Table>: Table to enumerate.
  • -C <Columns>, --columns=<Columns>: Columns to retrieve.
  • --dump: Dump the data from the specified table.

Advanced Techniques:

  • --union: Use SQL UNION query injection.
  • --time-sec=<Seconds>: Seconds to delay between requests.
  • --comment=<Comment>: Use specified comment string.
  • --no-cast: Disable the usage of CAST() method.
  • --no-escape: Turn off string escaping.

Examples:

  1. Basic Scan:
sqlmap -u "http://example.com/page.php?id=1" --batch --dump
  1. Using a Request File:
sqlmap -r request.txt --batch --dump
  1. Enumerating Databases:
sqlmap -u "http://example.com/page.php?id=1" --batch --dbs
  1. Dumping a Specific Database Table:
sqlmap -u "http://example.com/page.php?id=1" --batch -D dbname -T table_name --dump
  1. Using Different Injection Techniques:
sqlmap -u "http://example.com/page.php?id=1" --batch --technique=U --time-sec=2 --dump
  1. Enumerating Columns in a Table:
sqlmap -u "http://example.com/page.php?id=1" --batch -D dbname -T table_name --columns
  1. Using a Proxy:
sqlmap -u "http://example.com/page.php?id=1" --proxy="http://127.0.0.1:8080" --batch --dump
  1. Extracting Specific Columns:
sqlmap -u "http://example.com/page.php?id=1" --batch -D dbname -T table_name -C "column1,column2" --dump
  1. Using Random User-Agent:
sqlmap -u "http://example.com/page.php?id=1" --random-agent --batch --dump
  1. Advanced Techniques with Delay:
sqlmap -u "http://example.com/page.php?id=1" --batch --technique=U --time-sec=5 --dump
  1. Enumerating DBMS Users:
sqlmap -u "http://example.com/page.php?id=1" --batch --users
  1. Disabling String Escaping:
sqlmap -u "http://example.com/page.php?id=1" --batch --no-escape --dump

Last updated on

NetExec CheatSheet

CheatSheet

On this page

Table of Contents
Basic Command Structure:
Options:
Detection and Enumeration:
Data Extraction:
Advanced Techniques:
Examples: