sqlmap — Automatic SQL Injection and Database Takeover Tool

Introduction

sqlmap is an open-source penetration testing tool written in Python that automates the process of detecting and exploiting SQL injection vulnerabilities. It is widely used by security professionals, bug bounty hunters, and CTF competitors for authorized testing engagements.

What sqlmap Does

• Detects SQL injection vulnerabilities across boolean-based, time-based, error-based, UNION-based, and stacked queries
• Supports MySQL, PostgreSQL, Oracle, Microsoft SQL Server, SQLite, and 10+ other DBMS
• Enumerates databases, tables, columns, and dumps data from vulnerable endpoints
• Provides OS-level access via database features like xp_cmdshell or UDF injection
• Supports HTTP authentication, proxies, cookies, and custom headers

Architecture Overview

sqlmap is a single Python application that takes a target URL or request file and runs a battery of injection tests. It uses heuristic detection to identify injectable parameters, then escalates through increasingly aggressive payloads. A tamper script system allows users to bypass WAFs by encoding or transforming payloads before delivery.

Self-Hosting & Configuration

• Install via pip or clone the repository directly
• Provide targets via URL, request file, or Burp Suite log import
• Configure tamper scripts to evade web application firewalls
• Use --level and --risk flags to control test intensity
• Supports proxy chains and Tor for anonymized testing

Key Features

• Automatic fingerprinting of the backend DBMS from injection responses
• Built-in tamper script library with 50+ WAF bypass techniques
• File read/write on the server filesystem through SQL injection
• Interactive OS shell when the database allows command execution
• Crawling and form-based parameter discovery with --forms and --crawl

Comparison with Similar Tools

• Havij — Windows-only GUI tool, no longer maintained
• jSQL Injection — Java-based alternative with GUI, fewer DBMS supported
• NoSQLMap — focuses on NoSQL databases like MongoDB instead of SQL
• Ghauri — newer Python tool inspired by sqlmap with improved detection for specific edge cases

FAQ

Q: Is sqlmap legal to use? A: sqlmap is legal to possess and use only against systems you own or have explicit written authorization to test. Unauthorized use is illegal.

Q: Can sqlmap bypass web application firewalls? A: sqlmap includes tamper scripts that modify payloads to evade common WAF rules. Custom tamper scripts can be written for specific WAFs.

Q: Does sqlmap work with POST requests? A: Yes. Use --data to specify POST parameters, or provide a full HTTP request file captured from a proxy like Burp Suite.

Q: How does sqlmap handle HTTPS? A: sqlmap supports HTTPS natively. Use --force-ssl if auto-detection fails.

Sources

• https://github.com/sqlmapproject/sqlmap
• https://sqlmap.org/