SQLMap Tutorial
Intermediate · ⏱ 18 min read · Bug Bounty & Offensive Security
Automate SQL injection like a pro with SQLMap.
SQLMap is the most powerful open-source SQL injection tool automatically detecting and exploiting SQLi across MySQL, PostgreSQL, MSSQL, Oracle, and SQLite.
Prerequisites
- SQLMap installed (sqlmap.org)
- A vulnerable target (DVWA, SQLi-labs, or authorized test)
- Basic SQL and HTTP knowledge
Installation
Pre-installed on Kali. Otherwise clone from GitHub: git clone sqlmapproject/sqlmap.
Basic Detection
Point SQLMap at a URL with parameters for GET, POST data, or Burp request files.
Database Enumeration
After finding injection, enumerate with --dbs, --tables, --dump to extract data.
Advanced Techniques
Time-based blind, error-based, UNION, stacked queries, out-of-band injection. Use --level=5 --risk=3 for maximum detection.
OS Shell & File Access
On vulnerable systems, use --os-shell for interactive shell or --file-read for file access.
WAF Bypass with Tamper Scripts
Use --tamper with space2comment, between, randomcase, charunicodeencode to evade WAFs.
Popular Tamper Scripts
space2comment, between, randomcase, charunicodeencode, equaltolike, greatest.
Pentest Workflow
1) Find injection point manually or with Burp. 2) Confirm with SQLMap. 3) Enumerate DB. 4) Dump sensitive data. 5) Attempt OS shell if in scope. 6) Report.
Frequently Asked Questions
Is SQLMap legal?
Only against systems with written authorization. Unauthorized SQL injection is a serious criminal offense.
Can it bypass WAFs?
Often yes with tamper scripts and encoding. Modern ML-based WAFs are harder and may need manual techniques.
SQLMap vs manual SQLi?
SQLMap automates exploitation after you find the injection point. Manual testing is still essential for finding points and bypassing custom filters.