Sign in Subscribe

Tuning SQLMap: What Levels and Risks Really Mean

Tuning SQLMap: What Levels and Risks Really Mean

SQLMap is one of the most popular tools among penetration testers and remains highly effective when properly configured and used against vulnerable targets.

Some argue that SQLMap is quickly blocked by modern defenses like Web Application Firewalls (WAFs), but this isn’t always the case. The extent of SQLMap's interaction with the target system is primarily controlled by two parameters — --level and --risk — and to some degree by a third: --technique. Let’s take a closer look at what these parameters mean and how they work together.

sqlmap -u "http://site.com/page.php" --data="q=test" --level=3 --risk=2 --technique=BEUSTQ

Techniques

Techniques are a set of injection methods.
With the --technique parameter, we specify which types of payloads to use. You can list them in any order, and the sequence determines the order in which sqlmap tries them during injection.
Each technique is represented by the first letter of its name: --technique=BEUSTQ

  • B – Boolean-based – the server response changes depending on whether a condition is true or false (e.g. ?id=1' AND 1=1--)
  • E – Error-based – triggers a SQL error that reveals data or parts of the query in the response
  • U – Union-based – injects a UNION SELECT to fetch results (requires guessing the correct number of columns)
  • S – Stacked – executes multiple queries in a single statement using ; (e.g. ?id=1'; DROP TABLE users;--)
  • T – Time-based – delays the server response if a condition is true (e.g. ?id=1' AND IF(1=1, SLEEP(5), 0)--)
  • Q – Query-based (Inline/Second-Order) – injects a query that is stored and later executed elsewhere in the application

Levels

Levels define the request entry points where injections will be attempted.
Each higher level includes all previous levels.

  • --level=1 – GET/POST parameters in the URL or request body (e.g. ?id=1 or username=admin)
  • --level=2 – Parameters from the Cookie header (e.g. PHPSESSID=xyz)
  • --level=3 – Headers like User-Agent and Referer
  • --level=4 – The Host header
  • --level=5 – Parts of the URI path

Why are User-Agent and Referer in level 3, but Host is in level 4?

Because Host is more sensitive.

  • User-Agent and Referer are often stored in logs or analytics tables, so they can be injection points — but they rarely affect how the app works.
  • Host is used by web servers and frameworks to handle routing, links, and redirects. Injecting here can break things or cause unexpected behavior.
  • That’s why sqlmap treats Host as more risky and only tests it at --level=4.

What if I want to test a custom header?

Custom headers are ignored by SQLMap by default.
To test one, you must explicitly mark it with a *.
sqlmap -u "http://site.com/page" --headers="X-Client-ID: *"
The * tells SQLMap where to inject the payload.
Without it, SQLMap will just send the value as-is and won’t try any injection.

Risk

Risk defines how aggressive the payloads are and how much they impact the target system. Higher risk = more intrusive techniques and a greater chance of appearing in logs. Each higher risk level includes all previous ones.
Roughly, the risks can be understood like this:

  • --risk=1 – Vulnerability discovery
    (e.g. ' OR 1=1--, UNION SELECT NULL,...)
  • --risk=2 – Controlled exploitation, filter bypass, SQLi confirmation
    (e.g. SLEEP(5), BENCHMARK(), ORDER BY RAND())
  • --risk=3 – Offensive actions: file access, shell execution, command and control
    (e.g. INTO OUTFILE, load_file(), xp_cmdshell)

SQLMap Techniques vs Risk Levels

At --risk=1, only basic, "dry" payloads are used — simple logical conditions and safe UNION SELECT statements with no side effects. As the risk level increases (--risk=2, --risk=3), the payloads become more complex and intrusive — including delays (SLEEP, BENCHMARK), filter evasion techniques, file access, and even system command execution. Each higher risk level doesn’t replace the previous one — it adds more powerful and aggressive methods on top. Techniques S and T are not used on --level=1

Summary

In short, the injection tool is chosen via the --technique parameter. It works together with the defined risk level (--risk) and injects only into request points allowed by the --level. For example, running: sqlmap -u "http://target" will launch only a basic scan using level=1, risk=1, and techniques BEUQ (excluding S and T). Now that you know the rules, you can test smarter. Use this combo wisely — and stay stealthy 🤗