sqlmap
Verbose Level (-v)
0: displays critical info only
1: displays warning info
2: displays debug info
3: displays payload used
4: displays HTTP request body
5: displays HTTP response headers
6: displays HTTP response body
Database Connection (-d)
Connect to a database with credential:
sqlmap -d DBMS://USER:PASSWORD@DBMS_IP:DBMS_PORT/<MySQL/Oracle/Microsoft SQL Server/PostgreSQL>or connect to a database file:
sqlmap -d DBMS://<SQLite, Microsoft Access, Firebird>GET (-u)
sqlmap -u "http://<domain>/vuln.php?id=1" -f --banner --dbs --usersPOST (--data)
Load Request from a File (-r)
Cookie (--cookie)
User-Agent (--user-agent)
The default User-Agent header sent by sqlmap is sqlmap/1.0-dev-xxxxxxx, but we can specify an User-Agent header:
or set a random user agent:
Level (--level)
--level=1: default mode--level=2: adds cookie testing--level=3: adds User-Agent testing--level=4: more testing--level=5: adds Host testing
Risk (--risk)
--risk=1: (Default) innocuous injections--risk=2: Enables heavy time-based injections--risk=3: Enables OR-based injections -> using them on UPDATE queries would update all the rows in a table
Proxy (--proxy) and Tor (--tor)
Proxy:
Tor:
Blind SQLi (--string, --not-string)
Append to
--stringa string which is always present inTrueoutput pageAppend to
--not-stringa string which is always present inFalseoutput page
Privilege Enumeration (--is-dba)
Determine if the current user is the database admin:
Download/Upload (--file-read/--file-write/--file-dest)
Download a file:
Uploads a file:
RCE (--os-shell)
The following requirements must be satisfied for --os-shell to work:
We have write permission
Pathnames are default
PHP
magic_quotes_gpcis disabled
Behind the scene, sqlmap creates an "upload trojan" on the target machine and uploads a webshell from here.
If the -d option is used, sqlmap will use UDF. For example:
Last updated
Was this helpful?