SQLMap
The standard, automatic SQL injection exploitation tool — detect, fingerprint and dump databases through a vulnerable parameter
⚡ TL;DR
🎯 The Problem It Solves
Manual SQL injection is tedious: confirm the注入点, figure out the DBMS, then exfiltrate schema, users and data by hand. Sqlmap automates the entire chain — detection, fingerprinting, and full database takeover — turning a found parameter into a dumped table with one command.
🔧 How It Works
Point sqlmap at a URL/request with a suspect parameter. It probes with a battery of injection techniques (boolean blind, time-based blind, error-based, UNION, stacked). Once it confirms and fingerprints the DBMS, it can enumerate users, privileges, schemas and tables, then dump data — and even pop an OS shell or read/write files where the DB user allows. Tamper scripts help evade WAFs.
🚀 Installation & Quick Start
Installation
git clone --depth 1 https://github.com/sqlmapproject/sqlmap.git\ncd sqlmap\npython sqlmap.py --update\n\n# Dependencies: Python 3.7+ (already installed on most systems)Quick Start
- Install: pipx install sqlmap or git clone https://github.com/sqlmapproject/sqlmap
- Basic test: sqlmap -u 'https://example.com/item?id=1' --batch
- Enumerate DBs: sqlmap -u '...' --dbs
- Dump a table: sqlmap -u '...' -D appdb -T users --dump
- Try OS access: sqlmap -u '...' --os-shell (only if the DB user permits)
✅ Pros
- •The most mature, battle-tested SQLi tool in existence
- •Truly automatic — from parameter to dumped table with little input
- •Huge technique and tamper coverage for awkward WAFs
- •Free and continuously maintained for 15+ years
❌ Cons
- •It's ONLY SQL injection — not a general web scanner
- •Loud and easy to detect; heavy scanning will trip WAFs/IDS
- •Slow on time-based-blind targets (lots of sleeping requests)
- •Powerful enough to cause real damage — authorization matters
💬 Practitioner Verdict
"Sqlmap is the SQL injection tool. There\'s no real competitor for raw, automatic exploitation of a found parameter. Just remember it\'s a scalpel, not a scanner — find the injection point first, then let sqlmap do the boring part."
📊 Specifications
- Language
- Python
- License
- GPL-2.0
- Platform
- Linux, macOS, Windows
- Kill Chain
- Initial Access / Exploitation
- MITRE ATT&CK
- T1190
💰 Pricing Reality
Free and open source (GPL-2.0). No paid tier. Your cost is purely the time it saves you versus manual exploitation.