SQLMap Database Penetration Testing
This skill should be used when the user asks to "automate SQL injection testing," "enumerate database structure," "extract database credentials using sqlmap," "dump tables and columns from a vulnerable database," or "perform automated database penetration testing." It provides comprehensive guidance for using SQLMap to detect and exploit SQL injection vulnerabilities.
Author
zebbern
Category
Other ToolsInstall
Hot:8
Download and extract to your skills directory
Copy command and send to OpenClaw for auto-install:
Download and install this skill https://openskills.cc/api/download?slug=sickn33-skills-sqlmap-database-pentesting&locale=en&source=copy
SQLMap Database Penetration Testing
Skills Overview
Provide a systematic approach for using SQLMap to automate SQL injection detection and database penetration testing, covering the complete workflow including database enumeration, table structure discovery, data extraction, and multi-target scanning.
Applicable Scenarios
1. Authorized Penetration Testing
In security testing projects with written authorization, use SQLMap to quickly discover and verify SQL injection vulnerabilities, enumerate database structures, and extract sensitive data. Suitable for red team operations, vulnerability assessments, and security audits.
2. Database Vulnerability Assessment
Perform database security checks on web applications by automatically scanning injection points in URL parameters, POST requests, and cookies. Identify various SQL injection types such as boolean-based blind, time-based blind, and UNION-based injections.
3. CTF and Security Research
In CTF competitions, security training, or research environments, use SQLMap to solve SQL injection challenges and learn database attack techniques. Supports loading targets from Burp Suite request files, bulk URL lists, and log files.
Core Features
1. Automated Database Enumeration
Use step-by-step commands to automatically enumerate all databases on the target server, table names within databases, column structures of tables, and export specified data. Supports 12 popular database systems such as MySQL, PostgreSQL, MSSQL, and Oracle.
2. Support for Multiple Injection Techniques
Integrates 6 SQL injection detection engine types, including boolean-based blind, time-based blind, error-based injection, UNION query, stacked queries, and out-of-band injection. It automatically selects the most suitable technique to extract data.
3. Flexible Target Configuration
Supports multiple ways to specify targets, such as direct URLs, request files, batch files, and Google Dork (legal targets only). Provides advanced options including WAF bypass scripts, delays, retries, and proxies.
Frequently Asked Questions
What is SQLMap? What is it used for?
SQLMap is an open-source automated SQL injection tool used to detect and exploit SQL injection vulnerabilities in web applications. Common scenarios include authorized penetration testing, security assessments, vulnerability research, and CTF competitions. Before use, you must obtain written authorization for the target system; unauthorized testing is illegal.
How do I use SQLMap to enumerate a database?
Use step-by-step commands for database enumeration: first run
sqlmap -u "URL" --dbs --batch to list all databases; then use -D to specify the database name and add --tables to enumerate tables; next use -T with the table name and add --columns to enumerate columns; finally use --dump to export data or --dump-all to export the entire database.Is using SQLMap for penetration testing legal?
Using SQLMap itself is legal, but the key factor is whether the target has been authorized for testing. You may use SQLMap for penetration testing only after obtaining explicit written authorization from the system owner. Typical legitimate scenarios include: internal corporate security testing, contracted penetration testing services, CTF competition environments, and authorized vulnerability bounty programs. Scanning or attacking unauthorized targets with SQLMap is illegal.