SQLmap tutorial

SQLMap helps us as security researchers to find SQL Injection vulnerabilities. The advantage of SQLMap is of course that this tool is many times faster than manually testing SQL Injection.

SQLMap has extensive use cases and possibilities. In this SQLmap tutorial I will guide you through the possibilities while providing SQLmap cheatsheets and questionnaires to test your SQLmap skills (at the end of this post).

What is SQLmap

SQLmap is an open source community supported tool which runs on Linux. It automates detection and the usage of the found vulnerabilities. It supports a wide range of databases (40). It can perform fingerprinting, command execution and a lot more which will be covered in this SQLmap tutorial.

SQLmap usage

Where to download SQLmap

The official location to download SQLmap is at sqlmap.org, and it is often included in official penetration testing packages.

Which databases does it work on

Amazon RedshiftFrontBaseMckoiPresto
Apache DerbyGreenplumMemSQLSAP MaxDB
Apache IgniteH2Microsoft AccessSQLite
CockroachDBHSQLDBMicrosoft SQL ServerSybase
DrizzleInterSystems CacheMySQLVirtuoso
The database types which are supported by SQLmap.

SQLmap commands

Take a look at these quick SQLmap commands which will allow you to quickly map vulnerable databases to your terminal.

Perform SQLmap GET request

sqlmap -u http://[yourwebsite[.]com]/page.php?id=1 --dbs

How do you perform a SQLmap request via the TOR network?

sqlmap -u [yourwebsite[.]com] --tor

Perform SQLmap query from file called request.txt

sqlmap -r request.txt

Testing with pattern of URL’s

sqlmap -u http://[yourwebsite[.]com]/page/*/view --dbs

How do you utilize a proxy with SQLmap?

sqlmap -u [yourwebsite[.]com] --proxy=[PROXY_ADDRESS]

Using cookies

sqlmap -u http://[yourwebsite[.]com]/enter.php --cookie="PHPSESSID=[REPLACE_THIS_WITH_COOKIE]" -u http://[yourwebsite[.]com]/index.php?id=1

Identify current DB

sqlmap -u http://[yourwebsite[.]com]/page.php?id=1 --current-db

Persistent connection

sqlmap -u http://[yourwebsite[.]com]/page.php?id=1 --dbs --keep-alive

How do you perform an GET request with SQLmap?

sqlmap -u [yourwebsite[.]com]

How do you crawl a website with SQLmap?

sqlmap -u [yourwebsite[.]com] --crawl=1

How do you perform an POST request with SQLmap?

sqlmap -u [yourwebsite[.]com] --data=[DATA]

Some useful SQLmap commands

  1. –data=DATA data string to be sent through POST
  2. –param-del=PDEL character used for splitting parameter values
  3. –cookie=COOKIE HTTP Cookie header
  4. –cookie-del=CDEL character used for splitting cookie values
  5. –load-cookies=L.. file containing cookies in Netscape/wget format
  6. –drop-set-cookie ignore Set-Cookie header from response
  7. –user-agent=AGENT –random-agent
  8. –host=HOST –referer=REFERER –headers=HEADERS
  9. –auth-type=AUTH.. Basic, Digest, NTLM or PKI
  10. –auth-cred=AUTH.. name:password
  11. –auth-private=A.. PEM private key file
  12. –proxy=PROXY –proxy-cred=PRO.. name:password
  13. –proxy-file=PRO.. list from a file –ignore-proxy ignore system settings
  14. –tor –tor-port=TPORT –tor-type=TYPE HTTP (dflt), SOCKS4, SOCKS5
  15. –check-tor check to see if Tor is used properly
  16. –delay=DELAY delay in seconds between each HTTP request
  17. –timeout=TIMEOUT seconds to wait before timeout (default 30)
  18. –retries=RETRIES retries when the connection timeouts (default 3)
  19. –randomize=RPARAM randomly change value for given parameter(s)
  20. –safe-url=SAFURL URL address to visit frequently during testing
  21. –safe-freq=SAFREQ test requests between two visits to a given safe URL
  22. –skip-urlencode skip URL encoding of payload data
  23. –force-ssl force usage of SSL/HTTPS
  24. –hpp use HTTP parameter pollution
  25. –eval=EVALCODE

SQLmap cheatsheets

Feel free to download the following SQLmap cheatsheets. They contain some queries which you can directly put into your SQLmap enabled terminal. Don’t forget to try out the SQLmap exam.

Share this information

SQLmap exam