--risk
is explained correctly in the answer by OscarAkaElvis.
However, --level
not only adds more injection points such as cookies and other headers but also performs more tests for each injection point. If you want to perform all possible tests on just 1 parameter, you still need level 5. The values are defined as:
- 1: Always (<100 requests)
- 2: Try a bit harder (100-200 requests)
- 3: Good number of requests (200-500 requests)
- 4: Extensive test (500-1000 requests)
- 5: You have plenty of time (>1000 requests)
If you want to test a specific parameter without sqlmap spraying crap in all directions at random and exponentially increasing the number of requests, you can use -p
. For example, to test the id
parameter in GET /admin?id=7&op=fetch
on level 5, you can use:
sqlmap -p id --level 5 -u 'https://example.com/admin?id=7&op=fetch'
Testing this, the number of requests actually performed by each level by sqlmap 1.5.2 with only basic union tests (1-10 columns, it prompts for this) are:
- --level 1 --risk 1:
53
requests
- --level 2 --risk 1:
342
requests
- --level 3 --risk 1:
1080
requests
- --level 4 --risk 1:
2060
requests
- --level 5 --risk 1:
3280
requests
When increasing to --risk 3
, the number of tests increases further:
- --level 1 --risk 3:
112
requests
- --level 2 --risk 3:
646
requests
- --level 3 --risk 3:
2160
requests
- --level 4 --risk 3:
4320
requests
- --level 5 --risk 3:
7850
requests
Finally, while OscarAkaElvis correctly cites the documentation saying:
Risk value 2 adds to the default level the tests for heavy query time-based SQL injections
Risk level 1 also already does time-based SQL injections. You don't need to increase the risk level for that. The higher risk level will just use much slower queries, which might take the system down for longer if they work and block the web server for example.
You can see exactly what it does for different --level
and --risk
values by using ctrl+f in the files in this directory: https://github.com/sqlmapproject/sqlmap/tree/master/data/xml/payloads
For example by searching for <risk>1
, your browser will find all queries for that risk level.