Specifying Injection Techniques
Learn about different SQL injection techniques and how to target them specifically
SQLMap supports various SQL injection techniques, each with its own strengths and use cases. Understanding these techniques allows you to optimize your testing approach.
Overview of Supported Techniques
SQLMap supports the following injection techniques, represented by single-letter codes:
| Code | Technique | Description |
|---|---|---|
| B | Boolean-based blind | Uses true/false conditions to extract data bit by bit |
| E | Error-based | Leverages database error messages to extract data |
| U | UNION query-based | Uses UNION statements to combine queries and extract data |
| S | Stacked queries | Executes multiple SQL statements in a single request |
| T | Time-based blind | Uses time delays to determine if conditions are true |
| Q | Inline queries | Executes SQL queries inline with the original query |
Each technique is suited for different scenarios depending on the application's behavior and the database management system.
Targeting Specific Techniques with --technique
You can specify which injection techniques to use with the --technique flag:
sqlmap -u "http://www.example.com/vuln.php?id=1" --technique BT
This example only tests for boolean-based blind and time-based blind SQL injection. By default, SQLMap tests all techniques in the order BEUSTQ.
Specifying techniques can:
- Speed up testing by focusing on the most likely techniques
- Reduce server load by avoiding unnecessary tests
- Target techniques known to work with specific database systems
Adjusting Time-Based Delays with --time-sec
For time-based blind SQL injection, control the delay length with the --time-sec flag:
sqlmap -u "http://www.example.com/vuln.php?id=1" --technique T --time-sec 10
This sets a 10-second delay for time-based tests, which is useful when:
- The server is under heavy load and needs longer delays for accurate results
- You want to ensure the delay is noticeable
- You need to distinguish between normal server lag and intentional delays
Setting Column Range for UNION Attacks with --union-cols
When using UNION-based attacks, you need to match the number of columns in the original query. If you don't know this number, use the --union-cols flag:
sqlmap -u "http://www.example.com/vuln.php?id=1" --technique U --union-cols 1-10
This tests UNION queries with 1 to 10 columns to find the correct number. This is essential for:
- Determining the correct column count for UNION attacks
- Extracting data efficiently from the database
- Finding the right structure for your injection payload