SQLMap - CheatSheet
Last updated
Last updated
Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Get a hacker's perspective on your web apps, network, and cloud
Find and report critical, exploitable vulnerabilities with real business impact. Use our 20+ custom tools to map the attack surface, find security issues that let you escalate privileges, and use automated exploits to collect essential evidence, turning your hard work into persuasive reports.
Capture the request and create a req.txt file
Sqlmap allows the use of -e or --eval to process each payload before sending it with some python oneliner. This makes very easy and fast to process in custom ways the payload before sending it. In the following example the flask cookie session is signed by flask with the known secret before sending it:
Read this post about how to perform simple and complex second order injections with sqlmap.
Remember that you can create your own tamper in python and it's very simple. You can find a tamper example in the Second Order Injection page here.
| Tamper | Description |
|---|---|
apostrophemask.py | Replaces apostrophe character with its UTF-8 full width counterpart |
apostrophenullencode.py | Replaces apostrophe character with its illegal double unicode counterpart |
appendnullbyte.py | Appends encoded NULL byte character at the end of payload |
base64encode.py | Base64 all characters in a given payload |
between.py | Replaces greater than operator ('>') with 'NOT BETWEEN 0 AND #' |
bluecoat.py | Replaces space character after SQL statement with a valid random blank character.Afterwards replace character = with LIKE operator |
chardoubleencode.py | Double url-encodes all characters in a given payload (not processing already encoded) |
commalesslimit.py | Replaces instances like 'LIMIT M, N' with 'LIMIT N OFFSET M' |
commalessmid.py | Replaces instances like 'MID(A, B, C)' with 'MID(A FROM B FOR C)' |
concat2concatws.py | Replaces instances like 'CONCAT(A, B)' with 'CONCAT_WS(MID(CHAR(0), 0, 0), A, B)' |
charencode.py | Url-encodes all characters in a given payload (not processing already encoded) |
charunicodeencode.py | Unicode-url-encodes non-encoded characters in a given payload (not processing already encoded). "%u0022" |
charunicodeescape.py | Unicode-url-encodes non-encoded characters in a given payload (not processing already encoded). "\u0022" |
equaltolike.py | Replaces all occurances of operator equal ('=') with operator 'LIKE' |
escapequotes.py | Slash escape quotes (' and ") |
greatest.py | Replaces greater than operator ('>') with 'GREATEST' counterpart |
halfversionedmorekeywords.py | Adds versioned MySQL comment before each keyword |
ifnull2ifisnull.py | Replaces instances like 'IFNULL(A, B)' with 'IF(ISNULL(A), B, A)' |
modsecurityversioned.py | Embraces complete query with versioned comment |
modsecurityzeroversioned.py | Embraces complete query with zero-versioned comment |
multiplespaces.py | Adds multiple spaces around SQL keywords |
nonrecursivereplacement.py | Replaces predefined SQL keywords with representations suitable for replacement (e.g. .replace("SELECT", "")) filters |
percentage.py | Adds a percentage sign ('%') infront of each character |
overlongutf8.py | Converts all characters in a given payload (not processing already encoded) |
randomcase.py | Replaces each keyword character with random case value |
randomcomments.py | Add random comments to SQL keywords |
securesphere.py | Appends special crafted string |
sp_password.py | Appends 'sp_password' to the end of the payload for automatic obfuscation from DBMS logs |
space2comment.py | Replaces space character (' ') with comments |
space2dash.py | Replaces space character (' ') with a dash comment ('--') followed by a random string and a new line ('\n') |
space2hash.py | Replaces space character (' ') with a pound character ('#') followed by a random string and a new line ('\n') |
space2morehash.py | Replaces space character (' ') with a pound character ('#') followed by a random string and a new line ('\n') |
space2mssqlblank.py | Replaces space character (' ') with a random blank character from a valid set of alternate characters |
space2mssqlhash.py | Replaces space character (' ') with a pound character ('#') followed by a new line ('\n') |
space2mysqlblank.py | Replaces space character (' ') with a random blank character from a valid set of alternate characters |
space2mysqldash.py | Replaces space character (' ') with a dash comment ('--') followed by a new line ('\n') |
space2plus.py | Replaces space character (' ') with plus ('+') |
space2randomblank.py | Replaces space character (' ') with a random blank character from a valid set of alternate characters |
symboliclogical.py | Replaces AND and OR logical operators with their symbolic counterparts (&& and |
unionalltounion.py | Replaces UNION ALL SELECT with UNION SELECT |
unmagicquotes.py | Replaces quote character (') with a multi-byte combo %bf%27 together with generic comment at the end (to make it work) |
uppercase.py | Replaces each keyword character with upper case value 'INSERT' |
varnish.py | Append a HTTP header 'X-originating-IP' |
versionedkeywords.py | Encloses each non-function keyword with versioned MySQL comment |
versionedmorekeywords.py | Encloses each keyword with versioned MySQL comment |
xforwardedfor.py | Append a fake HTTP header 'X-Forwarded-For' |
Get a hacker's perspective on your web apps, network, and cloud
Find and report critical, exploitable vulnerabilities with real business impact. Use our 20+ custom tools to map the attack surface, find security issues that let you escalate privileges, and use automated exploits to collect essential evidence, turning your hard work into persuasive reports.
Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
