sqlmap is an open source penetration testing tool that automates the process of detecting and exploiting SQL injection flaws and taking over of database servers. It comes with a powerful detection engine, many niche features for the ultimate penetration tester and a broad range of switches lasting from database fingerprinting, over data fetching from the database, to accessing the underlying file system and executing commands on the operating system via out-of-band connections.
If you are running on a UNIX/Linux system type the following command from a terminal:
python sqlmap.py -h
You can also see the detailed help message typing:
python sqlmap.py -hh
If you are running on a Windows system type the following command from a terminal:
C:\Python27\python.exe sqlmap.py -h
C:\Python27 is the path where you installed Python >= 2.6 and < 3.0.
Yes. sqlmap is released under the terms of the GPLv2, which means that any derivative work must be distributed without further restrictions on the rights granted by the General Public License itself.
If you wish to embed sqlmap technology into proprietary software, we sell alternative licenses (contact firstname.lastname@example.org)
All code contributions are greatly appreciated. First off, clone the Git repository, read the user's manual carefully, go through the code yourself and drop us an email if you are having a hard time grasping its structure and meaning. We apologize for not commenting the code enough - you could take a chance to read it through and improve it.
In order to maintain consistency and readability throughout the code, we ask that you adhere to the following instructions:
By submitting code contributions to the sqlmap developers, to the mailing lists, or via Git pull request, checking them into the sqlmap source code repository, it is understood (unless you specify otherwise) that you are offering the sqlmap project the unlimited, non-exclusive right to reuse, modify, and relicense the code. sqlmap will always be available Open Source, but this is important because the inability to relicense code has caused devastating problems for other Free Software projects (such as KDE and NASM). If you wish to specify special license conditions of your contributions, just say so when you send them.
We are constantly seeking for people who can write some clean Python code, are up to do security research, know about web application security, database assessment and takeover, software refactoring and are motivated to join the development team.
If this sounds interesting to you, send us your pull requests - we are open to discuss granting of push access to the main repository if you prove professionalism, motivation and ability to write proper Python code.
sqlmap is the result of numerous hours of passionated work from a small team of computer security enthusiasts. If you appreciated our work and you want to see sqlmap kept being developed, please consider making a donation to our efforts via PayPal to
We tend to keep our Twitter page, @sqlmap, up to date with the development. We certainly update it more often than the mailing list. Hence, if you are keen on keeping a closer look at the development you can:
We already support the major and some minor databases. We do have plans to extend support for some of them and support also new ones: Informix and Ingres at some point in time.
We get occasional rage bursts from unknown people. It should be emphasized that with each sqlmap run end users are obligated with the following prelude message:
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
Currently there is no pressure on Python projects to switch to the new version of Python interpreter, as the process of switching, especially on larger projects can be cumbersome (due to the few backward incompatibilities). The switch will take place eventually, but currently it is a very low priority task.
You can provide sqlmap with the following switch:
--no-cast Turn off payload casting mechanism
However, on the other hand you might lose the benefits provided by this switch in the default configuration.
sqlmap needs to properly decode page content to be able to properly detect and deal with internationalized characters. In some cases web developers are doing mistakes when declaring used web page charset (e.g.
iso_8859 instead of standardized name
iso-8859), which can cause problems. As a failsafe mechanism we have incorporated heuristic detection engine chardet, so in most cases sqlmap will deal with this kind of problems automatically.
Nevertheless, you are strongly advised to report us back those typographic mistakes so we could handle them manually inside the code.
Append an asterisk,
*, to the place where sqlmap should check for injections in URI itself. For example,
./sqlmap.py -u "http://target.tld/id1/1*/id2/2", sqlmap will inject its payloads at that place marked with
This feature also applies to POST data. Multiple injection points are supported and will be assessed sequentially.
The session user most probably does not have enough permissions for querying on a system table containing password hashes.
There are few IDSes that filter out all sqlmap requests based on its default
User-Agent HTTP header (e.g.
User-agent: sqlmap/1.0-dev). To prevent this
kind of situations you are advised to use switch
If you are getting those kind of messages for all targets then you most probably need to properly set up your proxy settings (switches
It is possible to run those statements as well as any other statement on the target database given that stacked queries SQL injection is supported by the vulnerable application or you are connecting directly to the database with
-d switch and the session user has such privileges (or a privilege escalation vector has been injected upfront).
In most of those kind of cases blatant error message detection is used by commercial tools leading to false positive claims. You have to be aware that a DBMS error message does not mean that the affected web application is vulnerable to SQL injection attacks. sqlmap goes several steps further and never claims an injection point without making through tests if it can be exploited on the first place.
sqlmap is very granular in terms of dumping entries from a table. The relevant switches are:
--dump Dump DBMS database table entries -D DB DBMS database to enumerate -T TBL DBMS database table to enumerate -C COL DBMS database table column to enumerate --start=LIMITSTART First query output entry to retrieve --stop=LIMITSTOP Last query output entry to retrieve --first=FIRSTCHAR First query output word character to retrieve --last=LASTCHAR Last query output word character to retrieve
However, in some cases you might want to dump all entries given a custom
WHERE condition. For such cases, we recommend using one of the following switches:
--sql-query=QUERY SQL statement to be executed --sql-shell Prompt for an interactive SQL shell --sql-file=SQLFILE Execute SQL statements from given file(s)
--sql-query "SELECT user, password FROM users WHERE privilege='admin'"
From the Tags page on GitHub.