loading
loading
Vulnerabilities
Automate detecting and exploiting SQL injection flaws and taking over database servers.
overview
sqlmap automates finding and exploiting SQL injection flaws in web applications and taking over the back-end database when the injection allows it. Point it at a URL, a raw request file, or a list of targets, and it probes parameters with a wide range of techniques: boolean-blind, time-blind, error-based, UNION, stacked queries, and out-of-band.
Once a point is confirmed injectable, the same run can enumerate databases, tables, and columns, dump rows, fingerprint the DBMS, or run OS commands through the database process. Tuning knobs such as --level, --risk, --tamper, and --technique control how aggressive and how evasive the testing is, which matters behind WAFs and on fragile apps.
On Trickest, sqlmap is a Vulnerabilities node that takes a target URL or request and writes a folder of session data and dumps. Feed it parameterized URLs from a crawler, and only run it against systems you are authorized to test.
use cases
Give sqlmap a URL or saved request with a candidate parameter and let it prove injectability before you spend time on manual payloads.
After detection, use --dbs, --tables, and --dump to map schema and extract rows for authorized data-exposure testing.
Pipe a list of candidate URLs from a crawler into bulk mode so every query string and form field gets a consistent injection pass.
Load --tamper scripts and raise --level/--risk when a WAF or input filter blocks the default payload set.
reference
| Name | Type | Flag | Description |
|---|---|---|---|
| url | STRING | --url | Target URL (e.g. "http://www.site.com/vuln.php?id=1"). |
| data | STRING | --data | Data string to be sent through POST. |
| request-file | FILE | -r | Load HTTP request from a file. |
| dbs | BOOLEAN | --dbs | Enumerate DBMS databases. |
| dump | BOOLEAN | --dump | Dump DBMS database table entries. |
| level | STRING | --level | Level of tests to perform (1-5, default 1). |
| risk | STRING | --risk | Risk of tests to perform (1-3, default 1). |
| tamper | STRING | --tamper | Use given script(s) for tampering injection data. |
Showing key inputs. sqlmap exposes 193 inputs in total.
| Name | Type | Flag | Description |
|---|---|---|---|
| os | STRING | --os | Force back-end DBMS operating system to provided value |
| all | BOOLEAN | --all | Retrieve everything |
| dbs | BOOLEAN | --dbs | Enumerate DBMS databases |
| eta | BOOLEAN | --eta | Display for each output the estimated time of arrival |
| hex | BOOLEAN | --hex | Use hex conversion during data retrieval |
| hpp | BOOLEAN | --hpp | Use HTTP parameter pollution method |
| tor | BOOLEAN | --tor | Use Tor anonymity network |
| url | STRING | --url | Target URL (e.g. "http://www.site.com/vuln.php?id=1") |
| code | STRING | --code | HTTP code to match when query is evaluated to True |
| data | STRING | --data | Data string to be sent through POST (e.g. "id=1") |
| dbms | STRING | --dbms | Force back-end DBMS to provided value |
| dump | BOOLEAN | --dump | Dump DBMS database table entries |
| eval | STRING | --eval | Evaluate provided Python code before the request (e.g. "import hashlib;id2=hashlib.md5(id).hexdigest()") |
| host | STRING | --host | HTTP Host header value |
| last | STRING | --last | Last query output word character to retrieve |
| risk | STRING | --risk | Risk of tests to perform (1-3, default 1) |
| skip | STRING | --skip | Skip testing for given parameter(s) |
| stop | STRING | --stop | Last dump table entry to retrieve |
| user | STRING | -U | DBMS user to enumerate |
| alert | STRING | --alert | Run host OS command(s) when SQL injection is found |
| count | BOOLEAN | --count | Retrieve number of entries for table(s) |
| crawl | STRING | --crawl | Crawl the website starting from the target URL |
| delay | STRING | --delay | Delay in seconds between each HTTP request |
| first | STRING | --first | First query output word character to retrieve |
| forms | BOOLEAN | --forms | Parse and test forms on target URL |
| gpage | STRING | --gpage | Use Google dork results from specified page number |
| level | STRING | --level | Level of tests to perform (1-5, default 1) |
| proxy | STRING | --proxy | Use a proxy to connect to the target URL |
| purge | BOOLEAN | --purge | Safely remove all content from sqlmap data directory |
| roles | BOOLEAN | --roles | Enumerate DBMS users roles |
| scope | STRING | --scope | Regexp for filtering targets |
| smart | BOOLEAN | --smart | Perform thorough tests only if positive heuristic(s) |
| start | STRING | --start | First dump table entry to retrieve |
| table | STRING | -T | DBMS database table(s) to enumerate |
| users | BOOLEAN | --users | Enumerate DBMS users |
| where | STRING | --where | Use WHERE condition while table dumping |
| banner | BOOLEAN | --banner | Retrieve DBMS banner |
| base64 | STRING | --base64 | Parameter(s) containing Base64 encoded data |
| column | STRING | -C | DBMS database table column(s) to enumerate |
| cookie | STRING | --cookie | HTTP Cookie header value (e.g. "PHPSESSID=a8d127e..") |
| header | STRING | --header | Extra header (e.g. "X-Forwarded-For: 127.0.0.1") |
| is-dba | BOOLEAN | --is-dba | Detect if the DBMS current user is DBA |
| method | STRING | --method | Force usage of given HTTP method (e.g. PUT) |
| mobile | BOOLEAN | --mobile | Imitate smartphone through HTTP User-Agent header |
| os-bof | BOOLEAN | --os-bof | Stored procedure buffer overflow exploitation |
| os-cmd | BOOLEAN | --os-cmd | Execute an operating system command |
| os-pwn | BOOLEAN | --os-pwn | Prompt for an OOB shell, Meterpreter or VNC |
| prefix | STRING | --prefix | Injection payload prefix string |
| regexp | STRING | --regexp | Regexp to match when query is evaluated to True |
| repair | BOOLEAN | --repair | Redump entries having unknown character marker (?) |
| schema | BOOLEAN | --schema | Enumerate DBMS schema |
| search | BOOLEAN | --search | Search column(s), table(s) and/or database name(s) |
| string | STRING | --string | String to match when query is evaluated to True |
| suffix | STRING | --suffix | Injection payload suffix string |
| tables | BOOLEAN | --tables | Enumerate DBMS database tables |
| tamper | STRING | --tamper | Use given script(s) for tampering injection data |
| titles | BOOLEAN | --titles | Compare pages based only on their titles |
| answers | STRING | --answers | Set predefined answers (e.g. "quit=N,follow=N") |
| charset | STRING | --charset | Blind SQL injection charset (e.g. "0123456789abcdef") |
| chunked | BOOLEAN | --chunked | Use HTTP chunked transfer encoded (POST) requests |
| cleanup | BOOLEAN | --cleanup | Clean up the DBMS from sqlmap specific UDF and tables |
| columns | BOOLEAN | --columns | Enumerate DBMS database table columns |
| csv-del | STRING | --csv-del | Delimiting character used in CSV output (default ",") |
| headers | STRING | --headers | Extra headers (e.g. "Accept-Language: fr\nETag: 123") |
| no-cast | BOOLEAN | --no-cast | Turn off payload casting mechanism |
| offline | BOOLEAN | --offline | Work in offline mode (only use session data) |
| referer | STRING | --referer | HTTP Referer header value |
| reg-add | BOOLEAN | --reg-add | Write a Windows registry key value data |
| reg-del | BOOLEAN | --reg-del | Delete a Windows registry key value |
| reg-key | STRING | --reg-key | Windows registry key |
| retries | STRING | --retries | Retries when the connection timeouts (default 3) |
| threads | STRING | --threads | Max number of concurrent HTTP(s) requests (default 1) |
| timeout | STRING | --timeout | Seconds to wait before timeout connection (default 30) |
| comments | BOOLEAN | --comments | Check for DBMS comments during enumeration |
| csrf-url | STRING | --csrf-url | URL address to visit for extraction of anti-CSRF token |
| database | STRING | -D | DBMS database to enumerate |
| dump-all | BOOLEAN | --dump-all | Dump all DBMS databases tables entries |
| encoding | STRING | --encoding | Character encoding used for data retrieval (e.g. GBK) |
| hostname | BOOLEAN | --hostname | Retrieve DBMS server hostname |
| log-file | FILE | -l | Parse target(s) from Burp or WebScarab proxy log file |
| os-shell | BOOLEAN | --os-shell | Prompt for an interactive operating system shell |
| priv-esc | BOOLEAN | --priv-esc | Database process user privilege escalation |
| reg-data | STRING | --reg-data | Windows registry key value data |
| reg-read | BOOLEAN | --reg-read | Read a Windows registry key value |
| reg-type | STRING | --reg-type | Windows registry key value type |
| retry-on | STRING | --retry-on | Retry request on regexp matching content (e.g. "drop") |
| safe-req | FILE | --safe-req | Load safe HTTP request from a file |
| safe-url | STRING | --safe-url | URL address to visit frequently during testing |
| skip-waf | BOOLEAN | --skip-waf | Skip heuristic detection of WAF/IPS protection |
| sql-file | FILE | --sql-file | Execute SQL statements from given file(s) |
| time-sec | STRING | --time-sec | Seconds to delay the DBMS response (default 5) |
| tmp-path | STRING | --tmp-path | Remote absolute path of temporary files directory |
| tor-port | STRING | --tor-port | Set Tor proxy port other than default |
| tor-type | STRING | --tor-type | Set Tor proxy type (HTTP, SOCKS4 or SOCKS5 (default)) |
| unstable | BOOLEAN | --unstable | Adjust options for unstable connections |
| web-root | STRING | --web-root | Web server document root directory (e.g. "/var/www") |
| auth-cred | STRING | --auth-cred | HTTP authentication credentials (name:password) |
| auth-file | FILE | --auth-file | HTTP authentication PEM cert/private key file |
| auth-type | STRING | --auth-type | HTTP authentication type (Basic, Digest, Bearer, ...) |
| bulk-file | FILE | -m | Scan multiple targets given in a textual file |
| check-tor | BOOLEAN | --check-tor | Check to see if Tor is used properly |
| csrf-data | STRING | --csrf-data | POST data to send during anti-CSRF token page visit |
| dbms-cred | STRING | --dbms-cred | DBMS authentication credentials (user:password) |
| file-dest | STRING | --file-dest | Back-end DBMS absolute filepath to write to |
| file-read | STRING | --file-read | Read a file from the back-end DBMS file system |
| force-ssl | BOOLEAN | --force-ssl | Force usage of SSL/HTTPS |
| mnemonics | STRING | -z | Use short mnemonics (e.g. "flu,bat,ban,tec=EU") |
| no-escape | BOOLEAN | --no-escape | Turn off string escaping mechanism |
| param-del | STRING | --param-del | Character used for splitting parameter values (e.g. &) |
| passwords | BOOLEAN | --passwords | Enumerate DBMS users password hashes |
| randomize | STRING | --randomize | Randomly change value for given parameter(s) |
| reg-value | STRING | --reg-value | Windows registry key value |
| safe-freq | STRING | --safe-freq | Regular requests between visits to a safe URL |
| safe-post | STRING | --safe-post | POST data to send to a safe URL |
| sql-query | STRING | --sql-query | SQL statement to be executed |
| sql-shell | BOOLEAN | --sql-shell | Prompt for an interactive SQL shell |
| technique | STRING | --technique | SQL injection techniques to use (default "BEUSTQ") |
| test-skip | STRING | --test-skip | Skip tests by payloads and/or titles (e.g. BENCHMARK) |
| text-only | BOOLEAN | --text-only | Compare pages based only on the textual content |
| verbosity | STRING | -v | Verbosity level: 0-6 (default 1) |
| abort-code | STRING | --abort-code | Abort on (problematic) HTTP error code(s) (e.g. 401) |
| cookie-del | STRING | --cookie-del | Character used for splitting cookie values (e.g. ;) |
| csrf-token | STRING | --csrf-token | Parameter used to hold anti-CSRF token |
| current-db | BOOLEAN | --current-db | Retrieve DBMS current database |
| dns-domain | STRING | --dns-domain | Domain name used for DNS exfiltration attack |
| file-write | FILE | --file-write | Write a local file on the back-end DBMS file system |
| keep-alive | BOOLEAN | --keep-alive | Use persistent HTTP(s) connections |
| not-string | STRING | --not-string | String to match when query is evaluated to False |
| preprocess | STRING | --preprocess | Use given script(s) for preprocessing (request) |
| privileges | BOOLEAN | --privileges | Enumerate DBMS users privileges |
| proxy-cred | STRING | --proxy-cred | Proxy authentication credentials (name:password) |
| proxy-file | FILE | --proxy-file | Load proxy list from a file |
| proxy-freq | STRING | --proxy-freq | Requests between change of proxy from a given list |
| second-req | FILE | --second-req | Load second-order HTTP request from file |
| second-url | STRING | --second-url | Resulting page URL searched for second-order response |
| shared-lib | FILE | --shared-lib | Local path of the shared library |
| statements | BOOLEAN | --statements | Retrieve SQL statements being run on DBMS |
| time-limit | STRING | --time-limit | Run with a time limit in seconds (e.g. 3600) |
| udf-inject | BOOLEAN | --udf-inject | Inject custom user-defined functions |
| union-char | STRING | --union-char | Character to use for bruteforcing number of columns |
| union-cols | STRING | --union-cols | Range of columns to test for UNION query SQL injection |
| union-from | STRING | --union-from | Table to use in FROM part of UNION query SQL injection |
| user-agent | STRING | --user-agent | HTTP User-Agent header value |
| base64-safe | BOOLEAN | --base64-safe | Use URL and filename safe Base64 alphabet (RFC 4648) |
| config-file | FILE | -c | Load options from a configuration INI file |
| csrf-method | STRING | --csrf-method | HTTP method to use during anti-CSRF token page visit |
| dump-format | STRING | --dump-format | Format of dumped data (CSV (default), HTML or SQLITE) |
| fingerprint | BOOLEAN | --fingerprint | Perform an extensive DBMS version fingerprint |
| google-dork | STRING | -g | Process Google dork results as target URLs |
| ignore-code | STRING | --ignore-code | Ignore (problematic) HTTP error code(s) (e.g. 401) |
| os-smbrelay | BOOLEAN | --os-smbrelay | One click prompt for an OOB shell, Meterpreter or VNC |
| postprocess | STRING | --postprocess | Use given script(s) for postprocessing (response) |
| skip-static | BOOLEAN | --skip-static | Skip testing parameters that not appear to be dynamic |
| test-filter | STRING | --test-filter | Select tests by payloads and/or titles (e.g. ROW) |
| common-files | BOOLEAN | --common-files | Check existence of common files |
| csrf-retries | STRING | --csrf-retries | Retries for anti-CSRF token retrieval (default 0) |
| current-user | BOOLEAN | --current-user | Retrieve DBMS current user |
| ignore-proxy | BOOLEAN | --ignore-proxy | Ignore system default proxy settings |
| live-cookies | STRING | --live-cookies | Live cookies file used for loading up-to-date values |
| load-cookies | STRING | --load-cookies | File containing cookies in Netscape/wget format |
| optimization | BOOLEAN | -o | Turn on all optimization switches |
| param-filter | STRING | --param-filter | Select testable parameter(s) by place (e.g. "POST") |
| parse-errors | BOOLEAN | --parse-errors | Parse and display DBMS error messages from responses |
| pivot-column | STRING | --pivot-column | Pivot column name |
| random-agent | BOOLEAN | --random-agent | Use randomly selected HTTP User-Agent header value |
| request-file | FILE | -r | Load HTTP request from a file |
| session-file | FILE | -s | Load session from a stored (.sqlite) file |
| table-prefix | STRING | --table-prefix | Prefix used for temporary tables (default: "sqlmap") |
| union-values | STRING | --union-values | Column values to use for UNION query SQL injection |
| binary-fields | STRING | --binary-fields | Result fields having binary values (e.g. "digest") |
| common-tables | BOOLEAN | --common-tables | Check existence of common tables |
| crawl-exclude | STRING | --crawl-exclude | Regexp to exclude pages from crawling (e.g. "logout") |
| flush-session | BOOLEAN | --flush-session | Flush session files for current target |
| fresh-queries | BOOLEAN | --fresh-queries | Ignore query results stored in session file |
| param-exclude | STRING | --param-exclude | Regexp to exclude parameters from testing (e.g. "ses") |
| abort-on-empty | BOOLEAN | --abort-on-empty | Abort data retrieval on empty results |
| check-internet | BOOLEAN | --check-internet | Check Internet connection before assessing the target |
| common-columns | BOOLEAN | --common-columns | Check existence of common columns |
| exclude-sysdbs | BOOLEAN | --exclude-sysdbs | Exclude DBMS system databases when enumerating tables |
| invalid-bignum | BOOLEAN | --invalid-bignum | Use big numbers for invalidating values |
| invalid-string | BOOLEAN | --invalid-string | Use random strings for invalidating values |
| predict-output | BOOLEAN | --predict-output | Predict common queries output |
| skip-urlencode | BOOLEAN | --skip-urlencode | Skip URL encoding of payload data |
| drop-set-cookie | BOOLEAN | --drop-set-cookie | Ignore Set-Cookie header from response |
| ignore-timeouts | BOOLEAN | --ignore-timeouts | Ignore connection timeouts |
| invalid-logical | BOOLEAN | --invalid-logical | Use logical operations for invalidating values |
| null-connection | BOOLEAN | --null-connection | Retrieve page length without actual HTTP response body |
| skip-heuristics | BOOLEAN | --skip-heuristics | Skip heuristic detection of vulnerabilities |
| test-parameters | STRING | -p | Testable parameter(s) |
| disable-coloring | BOOLEAN | --disable-coloring | Disable console output coloring |
| ignore-redirects | BOOLEAN | --ignore-redirects | Ignore redirection attempts |
| connection-string | STRING | -d | Connection string for direct database connection |
| exclude-idnetifiers | STRING | -X | DBMS database identifier(s) to not enumerate |
example
# detect injection on a parameter, then list databases (authorized lab target)sqlmap --url="http://example.com/page?id=1" --answers="quit=N,follow=N" --level=2 --risk=1 --dbs[*] starting @ 12:04:17[12:04:18] [INFO] testing connection to the target URL[12:04:19] [INFO] checking if the target is protected by some kind of WAF/IPS[12:04:21] [INFO] testing if the target URL content is stable[12:04:22] [INFO] GET parameter 'id' appears to be injectable[12:04:28] [INFO] the back-end DBMS is PostgreSQLavailable databases [2]:[*] example[*] information_schemaguidance
Use sqlmap when you have a URL or request with a parameter you suspect is injectable, or a crawl of candidate URLs to test. It exploits injection, it does not find URLs, so feed it a crawler's output. Only run it against systems you are authorized to test.
Newer injection tool with strong WAF evasion. sqlmap has the broader feature set and DBMS coverage.
Template-based scanner that flags likely injection points. Use it to triage, then sqlmap to confirm and exploit.
faq
related
A Go script for bypassing 403 forbidden responses.
An open-source tool that automates detecting and exploiting command injection.
Detect and abuse vulnerable implementations of stateless sessions.
A Python tool to find Cross-Origin Resource Sharing misconfigurations.
A tool to find HTTP splitting vulnerabilities.
Multi-threaded, IPv6-aware username enumeration via CVE-2018-15473.
A target is crawled by katana for parameterized URLs, then sqlmap tests them for injection and writes the confirmed findings as output.
Facts on this page come from the live Trickest tool library.