sqlmap is a penetration testing tool for SQL injection (SQLi). It automates the detection and exploitation of SQLi flaws and database server hijacking. This makes penetration testing much more efficient, but sqlmap’s vast documentation can make learning sqlmap a daunting task. A mini-reference would help you focus on essential commands.
On top of that, a bird’s-eye view of how you conduct your penetration tests helps you to prioritize your computing resources. It’s undesirable to drown in the technical minutiae trying to locate the right commands to issue.
This cheat sheet is the mini-reference for sqlmap learners of all stages, and it provides the bird’s-eye view you need to build your testing strategy. The latter is especially crucial when Google Dorking (mentioned below) as you must stay within query limits; redundant queries can cause your IP address to be blacklisted.
You may download the PDF version of this cheat sheet here.
- System Requirements for Sqlmap
- Install Sqlmap
- Checking for SQLi Vulnerabilities
- Overview of SQLi Attacks
- Sqlmap Options
- Running a SQLi Attack Scan with Sqlmap
- Get a List of Databases on Your System and Their Tables
- Password Cracking with Sqlmap
- Sqlmap’s Source Code Structure and How to Navigate It
- Important and Useful Sqlmap Directories
- Test –levels and Their Impact on Your Commands
- Verbosity Levels
- Tamper Scripts and Their Actions
- Frequently Asked Questions
System Requirements for Sqlmap
sqlmap runs on Python versions 2.6, 2.7, and 3 on Windows, macOS, and Linux.
From this point onward, we will simply use sqlmap to represent any of these choices:
py -2 sqlmap.py
py -3 sqlmap.py
- (Kali Linux)
Check that you have the correct Python versions installed in your command line console or terminal using
Download sqlmap below:
- tarball here;
- zipball here.
- cloning the Git repository:
git clone --depth 1
This is also the preferred method to upgrade sqlmap on Kali Linux.
The Git wiki has information for advanced sqlmap users.
Checking for SQLi Vulnerabilities
How to use sqlmap in the command line:
sqlmap [mandatory arguments and values required] [options and values where applicable]
Overview of SQLi Attacks
Categories of SQLi attacks include:
- Inferential (or Blind)
In-Band (or Classic) SQLi Attacks
In in-band attacks, the attacker can launch the attack and view results through the same channel (band), such as via a console shell or web application. The four most popular in-band injection techniques are error-based, union-based, stacked queries, and inline queries. (sqlmap option:
Error messages displayed in the console or application leak information about the database configurations, structure, and data.
Using UNION and associated keywords, the attacker combines the results from a legitimate query with those from an attack to extract data, such as by matching user data with location history.
Stacked queries (piggybacking)
The attacker sends multiple SQL statements joined by a semicolon in the same call to the database server to change the data within or manipulate the server.
Embedding partial SQL statements on the server-side backend makes the server vulnerable to SQLi via client-side input.
Out-of-Band SQLi Attacks
Out-of-band attacks obtain data using a channel (band) other than the one making the request. Examples include receiving an email containing query results and sending results to a different web server using a separate HTTP connection.
Inferential (or Blind) SQLi Attacks
These involve changing the database behavior to reconstruct information.
This inferential attack involves Boolean expressions, such as tautologies. If you are visiting an e-commerce website, you might obtain a product page via the route /product/279, which translates to this query string in the backend:
SELECT * FROM products WHERE id='279';
But append a tautological statement to the route to get /product/279’%20or%201=1:
SELECT * FROM products WHERE id='279' OR 1=1;
1=1 must evaluate to TRUE, you can see all products regardless of the limitations the vendor has placed on them, such as unannounced or out-of-stock inventory.
Time delay injections (time-based attacks)
This inferential attack leaves negligible traces of penetration on the database logs during the exploration of an unknown database. Such attacks depend on the database pausing for a fixed time before responding, and the injected time delay command differs across SQL languages.
If the database is not vulnerable to a time-based attack, the results will load quickly despite the time delay specified.
Compound SQLi Attacks
Compound SQLi attacks refer to SQLi attacks plus other cyberattacks, such as unauthorized access, distributed denial of service (DDoS), domain name server (DNS) hijacking, and cross-site scripting (XSS). The details of the other attacks are beyond the scope of this cheat sheet.
At least one of the following is necessary for the sqlmap command to run:
|Show sqlmap version number|
|Set verbosity level where |
|Simple wizard interface for beginner users|
|Prompt for an interactive sqlmap shell; inside the shell, omit |
|Update sqlmap to the latest version|
|Safely remove all content from sqlmap data directory|
|Display list of available tamper scripts|
|Check for missing (optional) sqlmap dependencies|
|Specify target |
|Process Google dork results as target URLs: you input as Google dorking queries, and you obtain URL results on which you run sqlmap.|
Overusing this command leads to the following warning:
|Specify connection string for direct database connection|
|Scan multiple targets listed in textual file |
|Parse target(s) from Burp or WebScarab proxy log file |
|Load HTTP request from textual file |
|Load options from a configuration file (extension .|
Set general working parameters.
|Never ask for user input, use the default behavior|
|Set predefined answers: parameters are substring(s) of question prompt(s); join multiple answers with a comma. You may use this with |
|Flush session files for current target|
|Crawl (collect links of) the website starting from the target URL|
|Regular expression to exclude pages from being crawled (e.g. |
|Delimiting character used in CSV output (default “,”)|
|Blind SQLi charset (e.g. |
|Format of dumped data (CSV (default), HTML or SQLITE)|
|Character encoding used for data retrieval (e.g. GBK)|
|Display for each output the estimated time of arrival|
|Flush session files for current target|
|Custom output directory path|
|Parse and display DBMS error messages from responses|
|Use given script(s) for preprocessing (request)|
|Use given script(s) for postprocessing (response)|
|Redump entries having unknown character marker (denoted by “?” character)|
|Save options to a configuration INI file|
|Regular expression for filtering targets|
|Skip heuristic detection of vulnerabilities|
|Skip heuristic detection of WAF/IPS protection|
|Web server document root directory (e.g. |
Specify how to connect to the target URL.
|Data string to be sent through POST (e.g. |
|HTTP Cookie header value (e.g. |
|Use randomly selected HTTP User-Agent header value|
|Use a proxy to connect to the target URL|
|Use Tor anonymity network|
|Check to see if Tor is used properly|
Optimize the performance of sqlmap.
|Turn on all optimization switches|
|Predict common queries output|
|Use persistent HTTP(s) connections|
|Retrieve page length without actual HTTP response body|
|Maximum number of concurrent HTTP(s) requests (default 1)|
Specify the parameters to test against, custom injection payloads, and optional tampering scripts.
|Testable parameter(s) (e.g. |
|Skip testing for given parameter(s) (e.g. |
|Skip testing parameters that do not appear to be dynamic|
|Regular expression to exclude parameters |
|Select testable parameter(s) |
|Force back-end DBMS to use the given|
|DBMS authentication credentials |
|Force back-end DBMS operating system to the value of |
|Use big numbers for invalidating values|
|Use logical operations for invalidating values|
|Use random strings for invalidating values|
|Turn off payload casting mechanism|
|Turn off string escaping mechanism|
|Injection payload prefix string |
|Injection payload suffix string |
|Use given script(s) TAMPER for tampering injection data|
Customize the detection phase of the SQL attack scan.
|Level of tests to perform (|
|Risk of tests to perform (|
|String to match when query returns True|
|String to match when query returns False|
|Regular expression to match when query returns True|
|HTTP code to match when query returns True|
|Perform thorough tests only if positive heuristic(s)|
|Compare pages based only on the textual content|
|Compare pages based only on their titles|
Tweak testing of specific SQLi techniques.
|SQLi techniques to use (default “|
|Seconds to delay the DBMS response (default 5)|
|Range of columns to test for UNION query SQLi|
|Character to use to guess the number of columns by brute force|
|Table to use in FROM part of UNION query SQLi|
|Domain name used for DNS exfiltration attack|
|Resulting page URL searched for second-order response|
|Load second-order HTTP request from file|
Assess a database before attacking it.
|Perform an extensive DBMS version fingerprint|
Running a SQLi Attack Scan with Sqlmap
Three basic steps underlie a SQLi attack scan:
- Conduct reconnaissance on a database using mandatory target arguments and fingerprinting.
- Discover potential vulnerabilities by enumerating the database contents.
- Run tests of different SQLi attacks to determine the extent of these vulnerabilities.
Repeat steps 2-3 to your satisfaction.
Get a List of Databases on Your System and Their Tables
Use enumeration options to scan SQL databases. To get a list of databases on your system, use
--dbs. For the tables and their schema, use
Below is an example of exploiting a vulnerability in the id parameter in a given cookie session to return the database tables (
--tables) using default answers to prompts (
sqlmap -u "http://sometestdb.to/view?id=123&Submit=Submit#" --cookie="PHPSESSID=e3f9231953973ace4acb63cfde2ccc08; security=low" --tables --batch
To narrow down the exploit to the users column, use the
--columns option followed by
-T and the desired table name:
sqlmap -u "http://sometestdb.to/view?id=123&Submit=Submit#" --cookie="PHPSESSID=e3f9231953973ace4acb63cfde2ccc08; security=low" --columns -T users --batch
These options can be used to enumerate the configuration information, structure and data contained in the tables of the target database management system.
|Retrieve DBMS banner|
|Retrieve DBMS current user|
|Retrieve DBMS current database|
|Enumerate DBMS databases|
|Exclude DBMS system databases when enumerating tables|
|Enumerate DBMS users|
|Enumerate DBMS users password hashes|
|Enumerate DBMS database tables|
|Enumerate DBMS database table columns|
|Enumerate DBMS schema|
|Retrieve number of entries for table(s)|
|Dump (output) DBMS database table entries|
|Dump all DBMS databases tables entries|
|DBMS database to enumerate|
|DBMS database table(s) to enumerate|
|DBMS database table column(s) to enumerate|
|DBMS database identifier(s) to not enumerate|
|DBMS user to enumerate|
Brute Force Options
Guess whether the database contains common names for tables, columns, and files.
|Check existence of common tables|
|Check existence of common columns|
|Check existence of common files|
Password Cracking with Sqlmap
This requires read permissions on the target database. In this case, you could enumerate the password hashes for each user with the
--passwords option. sqlmap will first enumerate the users, then attempt to crack the password hashes.
If your target database is sufficiently vulnerable, you can look for a table containing user data (e.g.,
users) because passwords likely reside there.
Once sqlmap discovers a column of passwords, it will prompt you for permission to crack the passwords, followed by a prompt on whether or not to crack them via a dictionary-based attack. If the passwords are sufficiently insecure, a “Y” to both prompts will yield meaningful output passwords.
Sqlmap’s Source Code Structure and How to Navigate It
Important and Useful Sqlmap Directories
You may customize your sqlmap experience by adding or editing files in the following directories. GitHub links refer to directories found in the sqlmap source code.
|Default values for all options which require defaults to function. The value(s) stated in terminal-issued commands takes precedence over the value(s) in this .conf file.|
|SQLi payloads, deployed according to the user’s values of |
|Text strings used for guessing column names and passwords (dictionary-based attacks)|
|Results from sqlmap commands returning database values such as |
If you use Kali Linux, this directory is at
Otherwise, the sqlmap terminal output will specify this location in an
|History of commands issued in a sqlmap shell (|
If you use Kali Linux, this directory is at
Test –levels and Their Impact on Your Commands
Check your database against particular SQLi attacks by setting test
--level values to dictate the volume of tests to perform and the degree of feedback from sqlmap.
|A limited number of tests/requests: |
|Test cookies (HTTP cookie header values)|
|Test cookies plus HTTP |
|As above, plus null values in parameters and other bugs|
|An extensive list of tests with an input file for payloads and boundaries|
sqlmap SQLi payloads are usually harmless, but if you want to test your database to breaking point,
--risk is the option to use:
|Data remain unchanged and database remains operable|
|Include heavy query time-based SQLi attacks, which may slow down or take down the database|
|As above, plus OR-based SQLi tests, the payload of which may update all entries of a table and cause havoc in production environments.|
These integer levels (0-6) are for troubleshooting and to see what sqlmap is doing under the hood.
|Show only Python tracebacks, error, and critical messages|
|Show also information and warning messages|
|Show also debug messages|
|Show also payloads injected|
|Show also HTTP requests|
|Show also HTTP responses’ headers|
|Show also HTTP responses’ page content|
Tamper Scripts and Their Actions
Useful tamper script commands:
|List all tamper scripts in the sqlmap directory|
|Invoke tamper script(s) TAMPERS of your choice|
Default tamper script actions fall into four categories:
|Action||Tamper script(s) as of sqlmap version 184.108.40.206#dev|
We hope this sqlmap cheat sheet makes sqlmap a more enjoyable experience for you. To download a PDF version of this sqlmap cheat sheet, click here.