SQLMap – Automatic SQL Injection Testing Tool

February 3, 2016

SQLMap is like Network Security Scanning tool called Nmap but for scanning databases for sql injection vulnerabilities. SQLMap has been one of the favorite tools in my toolkit for a while now, but it seems like not many people outside of the security space have heard of it.

SQLMap is an SQL injection testing tool that automates the process of detecting and exploiting sql injection vulnerabilities in database servers. It’s a very powerful tool of penetration testers, but its one of those tools every developer that writes code interfacing with databases should learn and use.

SQLMap supports most of the popular relational databases including MySQL, PostgreSQL, Oracle, Microsoft SQL Server, etc. Besides SQL injection feature, SQLMap also has the ability to automatically detect password hash formats and crack them using dictionary-based attacks. It also lets you retrieved information from the vulnerable database once sql injection vulnerability has been detected.

There are a lot of bad code samples out there for people who are just getting started into web programming. Even developers who are somewhat familiar with SQL injection believe that once you parameterized queries, you are safe. But there are many ways to to get it wrong. I am not going to go into how to write parameterized queries that are safe from injection attacks. But what SQLMap provides is a tool that you can point to url to and it will tell you in a minute whether your website is vulnerable. So you can go back to each of the urls and fix your code.

SQLMap is a very easy tool to get started.


SQLMap is written in Python. Assuming you have Python already installed on your system, you cal install SQLMap either through git:

git clone https://github.com/sqlmapproject/sqlmap.git sqlmap

Or you can download a zip or tarball

To get started, go to the sqlmap directory and find the sqlmap.py file. Check out what options are available using the sqlmap help option.

python sqlmap.py -h


Now lets test the a url on my website for sql injection:

python sqlmap.py -u 'http://sacharya.com/wp-admin'

This will launch the automatic sql injection testing and will give you the result at the end. And this should be enough for basic testing.
However, you can further specify how to connect to the target URL using the following options:

Specify Data string to be sent through POST

Specify HTTP Cookie header value

Use randomly selected HTTP User-Agent header value

Use a proxy to connect to the target URL

Use Tor anonymity network    

Check to see if Tor is used properly

Extract information:

Once a vulnerability has been found, you can easily extract information out of the vulnerable database. The following options are available:

Retrieve everything

Detect session user

Detect current database

Find out if session user is a database admin.
List database system user
List databases

Enumerate tables

Enumerate columns

Dump database content

For more details on the usage, see this wiki.

0 Comments on SQLMap – Automatic SQL Injection Testing Tool

Respond | Trackback