sqlmap: Open-source SQL injection and database takeover tool
Finding and exploiting SQL injection vulnerabilities is one of the oldest and most common steps in web application testing. sqlmap streamlines this process. It is an open-source penetration testing tool that automates the detection and exploitation of SQL injection flaws and can take over database servers when configured to do so.
What makes sqlmap valuable is its automation. Instead of manually crafting and testing payloads, the tool does the work of identifying injection points, determining the type of database in use, and running a range of exploitation techniques. For testers working across many targets, that speed and consistency make a difference.
How sqlmap works
sqlmap uses a detection engine that supports several types of SQL injection: boolean-based blind, time-based blind, error-based, UNION query-based, stacked queries, and out-of-band. Once it identifies a vulnerability, it can fingerprint the database, extract data, and even execute commands on the underlying operating system, depending on the level of access available.
The tool can enumerate users, password hashes, roles, and privileges. It can identify database structures, search for particular tables or columns, and dump selected data ranges. Testers can focus on specific tables or strings, such as names or passwords, to locate sensitive credentials.
Broad database support
One of sqlmap’s strengths is its wide compatibility. It supports nearly every major database management system, including MySQL, Oracle, PostgreSQL, Microsoft SQL Server, Microsoft Access, IBM DB2, SQLite, Firebird, and SAP MaxDB. It also works with newer or niche platforms such as MariaDB, TiDB, CockroachDB, Vertica, OpenGauss, and ClickHouse.
This range means testers can apply a single workflow across diverse environments. Whether the target is a traditional relational database or a distributed system, sqlmap can adapt its methods to match the DBMS in use.
From database to operating system
When sqlmap exploits an injection, it can often go beyond the database itself. If the target runs MySQL, PostgreSQL, or Microsoft SQL Server, the tool can access the file system directly. It allows users to upload or download files from the underlying operating system, a useful capability when testing post-exploitation scenarios.
The same applies to command execution. sqlmap can run system commands and retrieve their output, offering testers a way to understand how deep their access goes. For advanced cases, it can open an out-of-band TCP connection between the testing machine and the target. Through this channel, users can spawn an interactive shell, a Meterpreter session, or even a VNC session for remote interaction.
Integrating with other tools
sqlmap also supports integration with Metasploit for privilege escalation. Using Metasploit’s Meterpreter getsystem command, a tester can attempt to elevate the database process’s privileges to gain higher-level access. This connection between tools highlights sqlmap’s flexibility within broader penetration testing workflows.
For users who already have database credentials, sqlmap can connect directly without exploiting a vulnerability. This makes it useful not just for offensive testing but also for auditing and verifying database configurations. Testers can confirm which privileges exist and whether sensitive data is exposed.
Why sqlmap remains a standard tool
Despite the growth of automated scanners and cloud-based testing platforms, sqlmap remains a standard tool in many penetration testers’ toolkits. Its strength lies in combining automation with fine-grained control. Users can set switches to adjust behavior, control verbosity, or define exactly which data to extract.
It supports both wide scanning and targeted analysis. A tester can run it across an entire application to locate vulnerable parameters, then narrow the focus to specific database tables or data ranges. The flexibility to shift between broad reconnaissance and precise exploitation is what keeps sqlmap relevant.
sqlmap is available for free on GitHub.
Must read:
- 35 open-source security tools to power your red team, SOC, and cloud security
- GitHub CISO on security strategy and collaborating with the open-source community
Subscribe to the Help Net Security ad-free monthly newsletter to stay informed on the essential open-source cybersecurity tools. Subscribe here!