What is SQLMap?
SQLMap is a SQL Injection automation tool that is finds and exploits SQL Injection vulnerabilities. SQLMap has a number of functionality that can assist from fingerprinting to fully compromising a database and/or in some cases gaining shell level access to a server. If you do not have a current understanding of the fundamentals of how a SQL injection vulnerability occurs or is exploited, see our documentation on what is SQL injection for an overview.
TIP: How To Use SQLMap
I personally use SQLMap as an exploitation tool, due to the large amount of resources and traffic the tool uses I personally find that detection is better done manually or using other detection tools such as Burp Suite scanner.
How to use SQLMap
SQLMap could be used within an automation system to detect and exploit SQL injection (SQLi) vulnerabilities in web applications, or as a SQLi exploitation tool to use after a proof of concept SQLi payload has been confirmed.
WARNING: SQLMap Usage
Depending on the configuration SQLMap can be very heavy on request sent to a web application, and may cause DoS conditions for webservers and cause an excessive amount of log files for the target.
The more information you can give SQLMap the faster and less requests the tool will make, for example if you know the backend DBMS is MySQL and it is vulnerable to time based injection, then this could be provided to SQLMap using --dbms=mysql
and –technique=T
.
How to Install SQLMap
Install SQLMap via github:
How to Update SQLMap
How to update SQLMap:
or cd into the github repo director and do:
- What is SQLMap?
- How to use SQLMap
- How to Install SQLMap
- How to Update SQLMap
- SQLMap Commands
- SQLMap Options
- SQLMap Target
- SQLMap Requests
- SQLMap Optimisation
- SQLMap Injection
- SQLMap Detection
- SQLMap Techniques
- SQLMap Fingerprinting
- SQLMap Enumeration
- SQLMap Brute Force
- SQLMap Custom User Defined Options
- SQLMap File System Options
- SQLMap Operating System Access
- SQLMap Windows Registry Access
- General SQLMap Commands
- Misc SQLMap Commands
- SQLMap Examples: How To…
- Enumerate Databases
- Enumerate Tables
- SQLMap Dump DB Table
- SQLMap from Burp file
- Custom SQL Injection Payload: Pre and Post Input
- SQLMap Cookie
- SQLMap Shell
- SQLMap WAF Bypass
- SQLMap Proxy
- SQLMap Blind SQLi Out of Band (OOB)
- SQLMap GET Parameter
- SQLMap POST Parameter
- Run SQL Queries
- URL Parameters in Friendly URL’s
- SQLMap Crawl & Exploit
- Document Changelog
SQLMap Commands
SQLMap Options
Basic SQLMap command options:
COMMAND | DESCRIPTION |
---|---|
|
Show basic help message and exit |
|
Show advanced help message and exit |
|
Show program's version number and exit |
|
Verbosity level: 0-6 (default 1) |
SQLMap Target
SQLMap target command options:
COMMAND | DESCRIPTION |
---|---|
|
Target URL (e.g. "http://www.site.com/vuln.php?id=1") |
|
Connection string for direct database connection |
|
Parse target(s) from Burp or WebScarab proxy log file |
|
Scan multiple targets given in a textual file |
|
Load HTTP request from a file |
|
Process Google dork results as target URLs |
|
Load options from a configuration INI file |
SQLMap Requests
SQLMap request command options:
COMMAND | DESCRIPTION |
---|---|
|
HTTP User-Agent header value |
|
Extra header (e.g. "X-Forwarded-For: 127.0.0.1") |
|
Force usage of given HTTP method (e.g. PUT) |
|
Data string to be sent through POST (e.g. "id=1") |
|
Character used for splitting parameter values (e.g. &) |
|
HTTP Cookie header value (e.g. "PHPSESSID=a8d127e..") |
|
Character used for splitting cookie values (e.g. ;) |
|
Live cookies file used for loading up-to-date values |
|
File containing cookies in Netscape/wget format |
|
Ignore Set-Cookie header from response |
|
Imitate smartphone through HTTP User-Agent header |
|
Use randomly selected HTTP User-Agent header value |
|
HTTP Host header value |
|
HTTP Referer header value |
|
Extra headers (e.g. "Accept-Language: fr\nETag: 123") |
|
HTTP authentication type (Basic, Digest, NTLM or PKI) |
|
HTTP authentication credentials (name:password) |
|
HTTP authentication PEM cert/private key file |
|
Ignore (problematic) HTTP error code (e.g. 401) |
|
Ignore system default proxy settings |
|
Ignore redirection attempts |
|
Ignore connection timeouts |
|
Use a proxy to connect to the target URL |
|
Proxy authentication credentials (name:password) |
|
Load proxy list from a file |
|
Requests between change of proxy from a given list |
|
Use Tor anonymity network |
|
Set Tor proxy port other than default |
|
Set Tor proxy type (HTTP, SOCKS4 or SOCKS5 (default)) |
|
Check to see if Tor is used properly |
|
Delay in seconds between each HTTP request |
|
Seconds to wait before timeout connection (default 30) |
|
Retries when the connection timeouts (default 3) |
|
Randomly change value for given parameter(s) |
|
URL address to visit frequently during testing |
|
POST data to send to a safe URL |
|
Load safe HTTP request from a file |
|
Regular requests between visits to a safe URL |
|
Skip URL encoding of payload data |
|
Parameter used to hold anti-CSRF token |
|
URL address to visit for extraction of anti-CSRF token |
|
HTTP method to use during anti-CSRF token page visit |
|
Retries for anti-CSRF token retrieval (default 0) |
|
Force usage of SSL/HTTPS |
|
Use HTTP chunked transfer encoded (POST) requests |
|
Use HTTP parameter pollution method |
|
Evaluate provided Python code before the request (e.g. "import hashlib;id2=hashlib.md5(id).hexdigest()") |
SQLMap Optimisation
SQLMap optimisation command options:
COMMAND | DESCRIPTION |
---|---|
|
Turn on all optimization switches |
|
Predict common queries output |
|
Use persistent HTTP(s) connections |
|
Retrieve page length without actual HTTP response body |
|
Max number of concurrent HTTP(s) requests (default 1) |
SQLMap Injection
SQLMap injection command options:
COMMAND | DESCRIPTION |
---|---|
|
Testable parameter(s) |
|
Skip testing for given parameter(s) |
|
Skip testing parameters that not appear to be dynamic |
|
Regexp to exclude parameters from testing (e.g. "ses") |
|
Select testable parameter(s) by place (e.g. "POST") |
|
Force back-end DBMS to provided value |
|
DBMS authentication credentials (user:password) |
|
Force back-end DBMS operating system to provided value |
|
Use big numbers for invalidating values |
|
Use logical operations for invalidating values |
|
Use random strings for invalidating values |
|
Turn off payload casting mechanism |
|
Turn off string escaping mechanism |
|
Injection payload prefix string |
|
Injection payload suffix string |
|
Use given script(s) for tampering injection data |
SQLMap Detection
SQLMap detection command options:
COMMAND | DESCRIPTION |
---|---|
|
Level of tests to perform (1-5, default 1) |
|
Risk of tests to perform (1-3, default 1) |
|
String to match when query is evaluated to True |
|
String to match when query is evaluated to False |
|
Regexp to match when query is evaluated to True |
|
HTTP code to match when query is evaluated to True |
|
Perform thorough tests only if positive heuristic(s) |
|
Compare pages based only on the textual content |
|
Compare pages based only on their titles |
SQLMap Techniques
SQLMap technique command options:
COMMAND | DESCRIPTION |
---|---|
|
SQL injection techniques to use (default "BEUSTQ") |
|
Seconds to delay the DBMS response (default 5) |
|
Range of columns to test for UNION query SQL injection |
|
Character to use for bruteforcing number of columns |
|
Table to use in FROM part of UNION query SQL injection |
|
Domain name used for DNS exfiltration attack |
|
Resulting page URL searched for second-order response |
|
Load second-order HTTP request from file |
SQLMap Fingerprinting
SQLMap fingerprint command options:
COMMAND | DESCRIPTION |
---|---|
|
Perform an extensive DBMS version fingerprint |
SQLMap Enumeration
SQLMap enumeration command options:
COMMAND | DESCRIPTION |
---|---|
|
Retrieve everything |
|
Retrieve DBMS banner |
|
Retrieve DBMS current user |
|
Retrieve DBMS current database |
|
Retrieve DBMS server hostname |
|
Detect if the DBMS current user is DBA |
|
Enumerate DBMS users |
|
Enumerate DBMS users password hashes |
|
Enumerate DBMS users privileges |
|
Enumerate DBMS users roles |
|
Enumerate DBMS databases |
|
Enumerate DBMS database tables |
|
Enumerate DBMS database table columns |
|
Enumerate DBMS schema |
|
Retrieve number of entries for table(s) |
|
Dump DBMS database table entries |
|
Dump all DBMS databases tables entries |
|
Search column(s), table(s) and/or database name(s) |
|
Check for DBMS comments during enumeration |
|
Retrieve SQL statements being run on DBMS |
|
DBMS database to enumerate |
|
DBMS database table(s) to enumerate |
|
DBMS database table column(s) to enumerate |
|
DBMS database identifier(s) to not enumerate |
|
DBMS user to enumerate |
|
Exclude DBMS system databases when enumerating tables |
|
Pivot column name |
|
Use WHERE condition while table dumping |
|
First dump table entry to retrieve |
|
Last dump table entry to retrieve |
|
First query output word character to retrieve |
|
Last query output word character to retrieve |
|
SQL statement to be executed |
|
Prompt for an interactive SQL shell |
|
Execute SQL statements from given file(s) |
SQLMap Brute Force
SQLMap brute force command options:
COMMAND | DESCRIPTION |
---|---|
|
Check existence of common tables |
|
Check existence of common columns |
|
Check existence of common files |
SQLMap Custom User Defined Options
SQLMap custom command options:
COMMAND | DESCRIPTION |
---|---|
|
Inject custom user-defined functions |
|
Local path of the shared library |
SQLMap File System Options
SQLMap file system command options, e.g., how to read a file from the command line using SQLMap:
COMMAND | DESCRIPTION |
---|---|
|
Read a file from the back-end DBMS file system |
|
Write a local file on the back-end DBMS file system |
|
Back-end DBMS absolute filepath to write to |
SQLMap Operating System Access
SQLMap OS command options, e.g., how to gain a shell via SQLMap:
COMMAND | DESCRIPTION |
---|---|
|
Execute an operating system command |
|
Prompt for an interactive operating system shell |
|
Prompt for an OOB shell, Meterpreter or VNC |
|
One click prompt for an OOB shell, Meterpreter or VNC |
|
Stored procedure buffer overflow exploitation |
|
Database process user privilege escalation |
|
Local path where Metasploit Framework is installed |
|
Remote absolute path of temporary files directory |
SQLMap Windows Registry Access
COMMAND | DESCRIPTION |
---|---|
|
Read a Windows registry key value |
|
Write a Windows registry key value data |
|
Delete a Windows registry key value |
|
Windows registry key |
|
Windows registry key value |
|
Windows registry key value data |
|
Windows registry key value type |
General SQLMap Commands
SQLMap general command options:
COMMAND | DESCRIPTION |
---|---|
|
Load session from a stored (.sqlite) file |
|
Log all HTTP traffic into a textual file |
|
Set predefined answers (e.g. "quit=N,follow=N") |
|
Parameter(s) containing Base64 encoded data |
|
Use URL and filename safe Base64 alphabet (RFC 4648) |
|
Never ask for user input, use the default behavior |
|
Result fields having binary values (e.g. "digest") |
|
Check Internet connection before assessing the target |
|
Clean up the DBMS from sqlmap specific UDF and tables |
|
Crawl the website starting from the target URL |
|
Regexp to exclude pages from crawling (e.g. "logout") |
|
Delimiting character used in CSV output (default ",") |
|
Blind SQL injection charset (e.g. "0123456789abcdef") |
|
Format of dumped data (CSV (default), HTML or SQLITE) |
|
Character encoding used for data retrieval (e.g. GBK) |
|
Display for each output the estimated time of arrival |
|
Flush session files for current target |
|
Parse and test forms on target URL |
|
Ignore query results stored in session file |
|
Use Google dork results from specified page number |
|
Log all HTTP traffic into a HAR file |
|
Use hex conversion during data retrieval |
|
Custom output directory path |
|
Parse and display DBMS error messages from responses |
|
Use given script(s) for preprocessing (request) |
|
Use given script(s) for postprocessing (response) |
|
Redump entries having unknown character marker (?) |
|
Save options to a configuration INI file |
|
Regexp for filtering targets |
|
Skip heuristic detection of SQLi/XSS vulnerabilities |
|
Skip heuristic detection of WAF/IPS protection |
|
Prefix used for temporary tables (default: "sqlmap") |
|
Select tests by payloads and/or titles (e.g. ROW) |
|
Skip tests by payloads and/or titles (e.g. BENCHMARK) |
|
Web server document root directory (e.g. "/var/www") |
Misc SQLMap Commands
SQLMap commands that don’t fit into any other category :)
COMMAND | DESCRIPTION |
---|---|
|
Use short mnemonics (e.g. "flu,bat,ban,tec=EU") |
|
Run host OS command(s) when SQL injection is found |
|
Beep on question and/or when SQLi/XSS/FI is found |
|
Check for missing (optional) sqlmap dependencies |
|
Disable console output coloring |
|
Display list of available tamper scripts |
|
Work in offline mode (only use session data) |
|
Safely remove all content from sqlmap data directory |
|
Location of CSV results file in multiple targets mode |
|
Prompt for an interactive sqlmap shell |
|
Local directory for storing temporary files |
|
Adjust options for unstable connections |
|
Update sqlmap |
|
Simple wizard interface for beginner users |
SQLMap Examples: How To…
Enumerate Databases
How to enumerate the databases tables using SQLMap:
Enumerate Tables
How to enumerate the database tables using SQLMap:
SQLMap Dump DB Table
How to dump the contents of the table using SQLMap:
SQLMap from Burp file
Save a Burp or Zap request file and mark the injection point(s) parameters with an asterisk (*), the good thing about this option is that it takes care of any authentication cookies for you. You can inject into any parameter in the request, e.g., headers, inside cookies, and using multiple methods (GET, PUT, POST, DELETE) etc.
Custom SQL Injection Payload: Pre and Post Input
In a scenario where you have identified a SQL injection manually or via another tool, you may need to suffix (have input entered before the SQL injection payload) or postfix (have input inserted after the injection payload), this can be accomplished using the following:
How to insert input before an injection payload:
How to insert input after an injection payload:
SQLMap Cookie
SQLMap Shell
How to get an operating system command shell with SQLMap:
How to execute a command with SQLMap:
Meterpreter Shell with SQLMap:
SQLMap WAF Bypass
To bypass WAF’s with SQLMap you can use the premade tamper scripts with --tamper
like in the following example:
Tamper Scripts Send a LOT of Requests
Tamper scripts will resend the same request for each of the SQLMap WAF bypass scripts that you add.
List of SQLMap Tamper Scripts:
Tamper | Description | ||
---|---|---|---|
apostrophemask.py | Replaces apostrophe character with its UTF-8 full width counterpart | ||
apostrophenullencode.py | Replaces apostrophe character with its illegal double unicode counterpart | ||
appendnullbyte.py | Appends encoded NULL byte character at the end of payload | ||
base64encode.py | Base64 all characters in a given payload | ||
between.py | Replaces greater than operator (‘>’) with ‘NOT BETWEEN 0 AND #’ | ||
bluecoat.py | Replaces space character after SQL statement with a valid random blank character.Afterwards replace character = with LIKE operator | ||
chardoubleencode.py | Double url-encodes all characters in a given payload (not processing already encoded) | ||
commalesslimit.py | Replaces instances like ‘LIMIT M, N’ with ‘LIMIT N OFFSET M’ | ||
commalessmid.py | Replaces instances like ‘MID(A, B, C)’ with ‘MID(A FROM B FOR C)’ | ||
concat2concatws.py | Replaces instances like ‘CONCAT(A, B)’ with ‘CONCAT_WS(MID(CHAR(0), 0, 0), A, B)’ | ||
charencode.py | Url-encodes all characters in a given payload (not processing already encoded) | ||
charunicodeencode.py | Unicode-url-encodes non-encoded characters in a given payload (not processing already encoded) | ||
equaltolike.py | Replaces all occurances of operator equal (‘=’) with operator ‘LIKE’ | ||
escapequotes.py | Slash escape quotes (‘ and “) | ||
greatest.py | Replaces greater than operator (‘>’) with ‘GREATEST’ counterpart | ||
halfversionedmorekeywords.py | Adds versioned MySQL comment before each keyword | ||
ifnull2ifisnull.py | Replaces instances like ‘IFNULL(A, B)’ with ‘IF(ISNULL(A), B, A)’ | ||
modsecurityversioned.py | Embraces complete query with versioned comment | ||
modsecurityzeroversioned.py | Embraces complete query with zero-versioned comment | ||
multiplespaces.py | Adds multiple spaces around SQL keywords | ||
nonrecursivereplacement.py | Replaces predefined SQL keywords with representations suitable for replacement (e.g. .replace(“SELECT”, “”)) filters | ||
percentage.py | Adds a percentage sign (‘%’) infront of each character | ||
overlongutf8.py | Converts all characters in a given payload (not processing already encoded) | ||
randomcase.py | Replaces each keyword character with random case value | ||
randomcomments.py | Add random comments to SQL keywords | ||
securesphere.py | Appends special crafted string | ||
sp_password.py | Appends ‘sp_password’ to the end of the payload for automatic obfuscation from DBMS logs | ||
space2comment.py | Replaces space character (‘ ‘) with comments | ||
space2dash.py | Replaces space character (‘ ‘) with a dash comment (‘–’) followed by a random string and a new line (‘\n’) | ||
space2hash.py | Replaces space character (‘ ‘) with a pound character (‘#’) followed by a random string and a new line (‘\n’) | ||
space2morehash.py | Replaces space character (‘ ‘) with a pound character (‘#’) followed by a random string and a new line (‘\n’) | ||
space2mssqlblank.py | Replaces space character (‘ ‘) with a random blank character from a valid set of alternate characters | ||
space2mssqlhash.py | Replaces space character (‘ ‘) with a pound character (‘#’) followed by a new line (‘\n’) | ||
space2mysqlblank.py | Replaces space character (‘ ‘) with a random blank character from a valid set of alternate characters | ||
space2mysqldash.py | Replaces space character (‘ ‘) with a dash comment (‘–’) followed by a new line (‘\n’) | ||
space2plus.py | Replaces space character (‘ ‘) with plus (‘+’) | ||
space2randomblank.py | Replaces space character (‘ ‘) with a random blank character from a valid set of alternate characters | ||
symboliclogical.py | Replaces AND and OR logical operators with their symbolic counterparts (&& and | ) | |
unionalltounion.py | Replaces UNION ALL SELECT with UNION SELECT | ||
unmagicquotes.py | Replaces quote character (‘) with a multi-byte combo %bf%27 together with generic comment at the end (to make it work) | ||
uppercase.py | Replaces each keyword character with upper case value ‘INSERT’ | ||
varnish.py | Append a HTTP header ‘X-originating-IP’ | ||
versionedkeywords.py | Encloses each non-function keyword with versioned MySQL comment | ||
versionedmorekeywords.py | Encloses each keyword with versioned MySQL comment | ||
xforwardedfor.py | Append a fake HTTP header ‘X-Forwarded-For’ |
SQLMap Proxy
It is possible to proxy SQLMap traffic via an upstream proxy such as Burp Suite by passing the following syntax to the tool:
Burp Proxy Performance Hit
In my experience using Burp Suite as a Proxy for this process results in a considerable slow down in performance.
SQLMap Blind SQLi Out of Band (OOB)
SQLMap GET Parameter
The following specifies the GET parameter “espresso” for injection:
SQLMap POST Parameter
The following specifies the POST parameter “espresso” for injection:
Run SQL Queries
You can run a SQL query using –sql-query for example:
URL Parameters in Friendly URL’s
Simply mark them with an asterisk(*), for example:
The above would set the injection point at parameter1.
SQLMap Crawl & Exploit
Useful for automation, however please be mindful of the overheads you are imposing on the target server:
You will need to replace your collaborator payloads URL, and I highly recommend you setup your own collaborator server for this.
If you found this SQLMap cheat sheet useful, please share it below.
Document Changelog
- Last Updated: 12/02/2024 (12th of February 2024)
- Author: Arr0way
- Notes: SQLMap cheat sheet created.