provocativo_
back to the arsenal
// arsenal·Web AppSecIntermediateFOSS

sqlmap

Automated SQL-injection exploitation — fingerprints DB, dumps tables, opens OS shells.

Web AppSec

$ sqlmap --help

sqlmap

// what it is

Description

Bernardo Damele's Python beast that automates every step of SQLi exploitation. Detects ~6 different injection techniques across 35+ database backends, including blind/time-based variants that humans hate. Supports JSON/XML body injection, custom headers, and Tamper scripts for WAF bypass.

// use cases

What people use it for

  • Confirm a suspected SQLi finding in seconds
  • Dump entire database structures + contents
  • OS-shell pivoting via xp_cmdshell or `INTO OUTFILE`

// commands

The commands you'll type

Detect injection on a URL

$ sqlmap -u 'https://target/page?id=1' --batch

Dump current database

$ sqlmap -u '...' --current-db --dump

Try with WAF-bypass tamper

$ sqlmap -u '...' --tamper=space2comment,charunicodeencode

// facts

category
Web AppSec
platforms
LIN · WIN · MAC
license
FOSS
difficulty
Intermediate

// links

// related in Web AppSec

Web AppSecIntermediate

Burp Suite

PortSwigger's intercepting HTTP proxy — the de facto web app testing platform.

Freemium
LIN·WIN·MAC
open entry →
Web AppSecBeginner

OWASP ZAP

The free, OWASP-stewarded alternative to Burp.

FOSS
LIN·WIN·MAC
open entry →
Web AppSecBeginner

Nikto

Loud-but-fast web server scanner — checks for thousands of misconfigurations.

FOSS
LIN·WIN·MAC
open entry →