sqlmap is an open-source command-line tool that automates the detection and exploitation of SQL injection vulnerabilities. It is one of the longest-established tools in the offensive-security toolkit and is included by default in Kali Linux. It supports most mainstream database management systems including MySQL, PostgreSQL, Microsoft SQL Server, Oracle, SQLite, IBM Db2, and Sybase.
What sqlmap does
Given a target URL with a parameter that may be vulnerable, sqlmap walks through a sequence of test payloads to identify which SQL injection techniques work against the application. Once a working technique is found, it can enumerate database structure (tables, columns, users), extract data, read or write files on the database server’s file system where permissions allow, and even establish an operating-system command shell on the database host in some configurations.
Common usage
sqlmap -u 'https://example.com/product?id=1' --batch tests the id parameter using sqlmap’s default settings.
sqlmap -u '...' --dbs enumerates the databases visible to the application user.
sqlmap -u '...' -D customers -T orders --dump extracts the contents of a specific table.
For requests with authentication or specific cookies, the -r flag accepts a saved HTTP request file (often exported from Burp Suite) so that session context is preserved.
Detection techniques
sqlmap probes for boolean-based blind, time-based blind, error-based, UNION-based, stacked-query, and out-of-band injection in parallel. Each technique exploits different application behaviour and produces different evidence; sqlmap reports which ones succeeded so the tester understands the underlying flaw rather than just running the tool blindly.
Use in penetration testing
sqlmap accelerates the exploitation phase after a manual finding of suspected SQL injection. Experienced testers usually identify the flaw manually with Burp Suite to understand the context, then hand it to sqlmap for full enumeration. Running sqlmap blindly against an unknown target is noisy, slow, and risks crashing fragile applications; targeted use against known-injectable parameters is the practical pattern.
Legal and ethical note
sqlmap can extract sensitive data and execute commands on a server. Using it against any system without written authorisation is a criminal offence in the UK under the Computer Misuse Act 1990. Engagement scope, target authorisation, and rules of engagement must be agreed before any tool is pointed at a live application.
Related terms
See also: SQL injection, Burp Suite, Kali Linux, and web application penetration testing.
Leave a Reply