Merge pull request #1208 from HackTricks-wiki/update_SQLMap__Testing_SQL_Database_Vulnerabilities_20250729_183209

SQLMap Testing SQL Database Vulnerabilities
2025-10-10 18:36:50 +00:00 · 2025-07-30 08:02:59 +02:00 · 2025-07-30 08:02:59 +02:00 · 66c23fb65b
commit 66c23fb65b
parent 2829366c1d b4496aea9a
2 changed files with 47 additions and 0 deletions
--- a/src/pentesting-web/sql-injection/sqlmap.md
+++ b/src/pentesting-web/sql-injection/sqlmap.md
@ -23,6 +23,26 @@
 --proxy=PROXY
 ```

+### Technique flags (`--technique`)
+
+The `--technique` argument defines which SQL injection methods sqlmap will attempt.  
+Each character in the string represents a technique:
+
+| Letter | Technique | Description |
+| ------ | --------- | ----------- |
+| B | Boolean-based blind | Uses true/false conditions to infer data |
+| E | Error-based | Leverages verbose DBMS error messages to exfiltrate results |
+| U | UNION query | Injects `UNION SELECT` statements to fetch data via the same channel |
+| S | Stacked queries | Adds additional statements separated by `;` |
+| T | Time-based blind | Relies on delays (`SLEEP`, `WAITFOR`) to detect injection |
+| Q | Inline / out-of-band | Uses functions such as `LOAD_FILE()` or OOB channels like DNS |
+
+Default order is `BEUSTQ`. You can rearrange or limit them, e.g. only Boolean and Time-based in that order:
+
+```bash
+sqlmap -u "http://target/?id=1" --technique="BT" --batch
+```
+
 ### Retrieve Information

 #### Internal
@ -192,6 +212,9 @@ sqlmap -r r.txt -p id --not-string ridiculous --batch
 | versionedmorekeywords.py     | Encloses each keyword with versioned MySQL comment                                                                                 |
 | xforwardedfor.py             | Append a fake HTTP header 'X-Forwarded-For'                                                                                        |

+## References
+- [SQLMap: Testing SQL Database Vulnerabilities](https://blog.bughunt.com.br/sqlmap-vulnerabilidades-banco-de-dados/)
+
 {{#include ../../banners/hacktricks-training.md}}


--- a/src/pentesting-web/sql-injection/sqlmap/README.md
+++ b/src/pentesting-web/sql-injection/sqlmap/README.md
@ -25,6 +25,27 @@
 --union-char "GsFRts2" #Help sqlmap identify union SQLi techniques with a weird union char
 ```

+### Technique flags (`--technique`)
+
+The `--technique` option lets you restrict or reorder the SQL injection techniques sqlmap will test.  
+Each letter corresponds to a different class of payloads:
+
+| Letter | Technique | Description |
+| ------ | --------- | ----------- |
+| B | Boolean-based blind | Uses true/false conditions in the page response to infer results |
+| E | Error-based | Leverages verbose DBMS error messages to extract data |
+| U | UNION query | Injects `UNION SELECT` statements to fetch data via the same channel |
+| S | Stacked queries | Appends extra statements separated by a SQL delimiter (`;`) |
+| T | Time-based blind | Relies on `SLEEP/WAITFOR` delays to detect injectable conditions |
+| Q | Inline / out-of-band | Utilises functions such as `LOAD_FILE()` or DNS exfiltration to extract data |
+
+The default order that sqlmap will follow is `BEUSTQ` (all techniques).  
+You can change both the order and the subset. For instance, the following command will **only** attempt UNION query and Time-based blind techniques, trying UNION first:
+
+```bash
+sqlmap -u "http://target.tld/page.php?id=1" --technique="UT" --batch
+```
+
 ### Retrieve Information

 #### Internal
@ -228,6 +249,9 @@ Remember that **you can create your own tamper in python** and it's very simple.
 | xforwardedfor.py             | Append a fake HTTP header 'X-Forwarded-For'                                                                                        |


+## References
+- [SQLMap: Testing SQL Database Vulnerabilities](https://blog.bughunt.com.br/sqlmap-vulnerabilidades-banco-de-dados/)
+
 {{#include ../../../banners/hacktricks-training.md}}