SQLMAP BASIC OPTIONS CHEAT SHEET

(By Hack Academy)

Introduction

SQLmap is an open-source penetration testing tool designed to automate the process of

detecting and exploiting SQL injection vulnerabilities. It supports a wide range of
databases and offers powerful features like fingerprinting, data extraction, and database
access control exploitation. Whether you're a penetration tester, bug bounty hunter, or
security researcher, this cheat sheet will guide you through the most essential options
and techniques that SQLmap offers.

Basic Options

Option Description

Target URL (e.g. -u "http://www.target.com/path/file.htm?

-u URL
variable=1")

Direct connection string for database (e.g. -d DBMS://

-d DIRECT
USER:PASSWORD@DBMS_IP:DBMS_PORT/DATABASE_NAME)

-l LOGFILE Parse targets from a Burp or WebScarab proxy log file

-m BULKFILE Scan multiple targets from a file containing URLs (one per line)

-r
Load HTTP request from a file (HTTP/HTTPS transaction)
REQUESTFILE

-g GOOGLEDORK Process Google Dork results as target URLs

-c CONFIGFILE Load options from a configuration INI file

--wizard Start a guided execution service

--update Update SQLmap to the latest version

--purge Clear out SQLmap data folder

--purge-
Same as --purge
output

--
Check for missing SQLmap dependencies
dependencies

-h Basic help
Option Description

-hh Advanced help

--version Show SQLmap version number

-v VERBOSE Set verbosity level (e.g., 1 for basic, 5 for detailed)

Injection Options

Option Description

-p TESTPARAMETER Testable parameter(s) (e.g., -p id to test the id parameter)

--skip=SKIP Skip testing for specific parameters

--param-exclude=PARAM- Exclude parameters from testing (e.g., --param-exclude

EXCLUDE ses)

--param-filter=PARAM- Select testable parameter(s) by place (e.g., --param-filter

FILTER POST)

--dbms=DBMS Force a specific DBMS (e.g., --dbms=mysql)

--dbms-cred=DBMS- DBMS authentication credentials (e.g., --dbms-cred

CREDENTIALS user:password)

Force the back-end DBMS operating system (e.g., --

--os=OS
os=Windows)

--invalid-bignum Use big numbers to invalidate values

--invalid-logical Use logical operations for invalidating values

--invalid-string Use random strings for invalidating values

--no-cast Turn off payload casting mechanism

--no-escape Turn off string escaping mechanism

--prefix=PREFIX Injection payload prefix string

--suffix=SUFFIX Injection payload suffix string

--tamper=TAMPER Use tampering scripts for injection data

 Techniques

Option Description

--technique=TECHNIQUE Specify which SQL injection techniques to use (default: BEUSTQ)

--time-sec=TIMESEC Set delay in DBMS response (default: 5 seconds)

--union-cols=UCOLS Range of columns to test for UNION query SQL injection

--union-char=UCHAR Character to use for brute-forcing columns

--union-from=UFROM Table to use in the FROM part of UNION query SQL injection

--dns-domain=DNS-DOMAIN Domain name for DNS exfiltration attacks

--second-url=SECOND-URL URL searched for second-order responses

--second-req=SECOND-REQ Load a second-order HTTP request from a file

-f Perform an extensive DBMS version fingerprint

--fingerprint Same as -f

Operating System Access

Option Description

--os-cmd=OSCMD Execute an operating system command

--os-shell Prompt for an interactive operating system shell

--os-pwn Prompt for an out-of-band shell, Meterpreter, or VNC

--priv-esc Database process user privilege escalation

--msf-path=MSFPATH Path where Metasploit Framework is installed

--tmp-path=TMPPATH Remote absolute path of the temporary files directory

 Optimization Options

Option Description

-o Enable all optimization switches

--predict-output Predict common query output

--keep-alive Use persistent HTTP(s) connections

--threads=THREADS Maximum number of concurrent HTTP(s) requests (default: 1)

General Options

Option Description

-s SESSIONFILE Load session from a stored file (.sqlite)

-t TRAFFICFILE Log all HTTP traffic into a text file

--batch Never ask for user input; use default behavior

--csv-del=CSVDEL The delimiter for CSV output (default: ,)

--flush-session Flush session files for the current target

--forms Parse and test forms on the target URL

--output-dir=OUTPUT-DIR Custom directory for output files

Miscellaneous Options

Option Description

Set predefined answers for specific questions (e.g.,

--answers=ANSWERS
quit=N,follow=N)

--base64-safe Use URL-safe Base64 encoding (RFC 4648)

--test-skip=TEST-
Skip specific tests based on payloads and titles (e.g., BENCHMARK)
SKIP

--web-root=WEBROOT Web server document root directory (e.g., /var/www)

Closing Notes

Congratulations, you now have a solid understanding of the SQLmap tool and its powerful
features! Always remember to use it responsibly and only for authorized testing. Ethical
hacking can greatly improve the security of web applications, but it's crucial to respect
privacy and legal boundaries. Happy hacking!

SQLmap is a versatile tool that can help you identify and exploit SQL injection
vulnerabilities. However, it’s essential to stay up-to-date with the latest security
practices and tools to ensure you're always one step ahead. The security landscape is
constantly evolving, and new techniques and mitigations emerge regularly.

As you explore and utilize SQLmap, make sure to test within controlled environments or
with explicit permission. Unauthorized access to systems is illegal and unethical. Keep
honing your skills, practice safe and responsible security testing, and help make the
internet a safer place for everyone.

For any questions or further learning, feel free to dive into SQLmap's community and
resources. Stay curious and keep learning!