🔒SecurityRepoIndex

SQLMap

The standard, automatic SQL injection exploitation tool — detect, fingerprint and dump databases through a vulnerable parameter

4.5/ 537,862 GitHub starsPythonGPL-2.0

⚡ TL;DR

What
The standard, automatic SQL injection exploitation tool — detect, fingerprint and dump databases through a vulnerable parameter
Who
Web application pentesters, Bug bounty hunters, Red teams, Database security testers
Catch
It's ONLY SQL injection — not a general web scanner
Verdict
⭐⭐⭐⭐⭐ Essential

🎯 The Problem It Solves

Manual SQL injection is tedious: confirm the注入点, figure out the DBMS, then exfiltrate schema, users and data by hand. Sqlmap automates the entire chain — detection, fingerprinting, and full database takeover — turning a found parameter into a dumped table with one command.

🔧 How It Works

Point sqlmap at a URL/request with a suspect parameter. It probes with a battery of injection techniques (boolean blind, time-based blind, error-based, UNION, stacked). Once it confirms and fingerprints the DBMS, it can enumerate users, privileges, schemas and tables, then dump data — and even pop an OS shell or read/write files where the DB user allows. Tamper scripts help evade WAFs.

🚀 Installation & Quick Start

Installation

git clone --depth 1 https://github.com/sqlmapproject/sqlmap.git\ncd sqlmap\npython sqlmap.py --update\n\n# Dependencies: Python 3.7+ (already installed on most systems)

Quick Start

  1. Install: pipx install sqlmap or git clone https://github.com/sqlmapproject/sqlmap
  2. Basic test: sqlmap -u 'https://example.com/item?id=1' --batch
  3. Enumerate DBs: sqlmap -u '...' --dbs
  4. Dump a table: sqlmap -u '...' -D appdb -T users --dump
  5. Try OS access: sqlmap -u '...' --os-shell (only if the DB user permits)

✅ Pros

  • The most mature, battle-tested SQLi tool in existence
  • Truly automatic — from parameter to dumped table with little input
  • Huge technique and tamper coverage for awkward WAFs
  • Free and continuously maintained for 15+ years

❌ Cons

  • It's ONLY SQL injection — not a general web scanner
  • Loud and easy to detect; heavy scanning will trip WAFs/IDS
  • Slow on time-based-blind targets (lots of sleeping requests)
  • Powerful enough to cause real damage — authorization matters

💬 Practitioner Verdict

"Sqlmap is the SQL injection tool. There\'s no real competitor for raw, automatic exploitation of a found parameter. Just remember it\'s a scalpel, not a scanner — find the injection point first, then let sqlmap do the boring part."
Emmanuel, Security Reviewer

📊 Specifications

Language
Python
License
GPL-2.0
Platform
Linux, macOS, Windows
Kill Chain
Initial Access / Exploitation
MITRE ATT&CK
T1190

💰 Pricing Reality

Free and open source (GPL-2.0). No paid tier. Your cost is purely the time it saves you versus manual exploitation.

👥 Community Health

Stars37,862
Forks6,310
Contributors138
Health Score9/10

🏷️ Tags

ExploitationOpen SourceFreeWeb Scanning

🔗 Similar Tools