Automatic SQL injection and database takeover tool

Overview

sqlmap

Build Status Python 2.6|2.7|3.x License GitHub closed issues Twitter

sqlmap is an open source penetration testing tool that automates the process of detecting and exploiting SQL injection flaws and taking over of database servers. It comes with a powerful detection engine, many niche features for the ultimate penetration tester, and a broad range of switches including database fingerprinting, over data fetching from the database, accessing the underlying file system, and executing commands on the operating system via out-of-band connections.

sqlmap is sponsored by SpyderSec.

Screenshots

Screenshot

You can visit the collection of screenshots demonstrating some of the features on the wiki.

Installation

You can download the latest tarball by clicking here or latest zipball by clicking here.

Preferably, you can download sqlmap by cloning the Git repository:

git clone --depth 1 https://github.com/sqlmapproject/sqlmap.git sqlmap-dev

sqlmap works out of the box with Python version 2.6, 2.7 and 3.x on any platform.

Usage

To get a list of basic options and switches use:

python sqlmap.py -h

To get a list of all options and switches use:

python sqlmap.py -hh

You can find a sample run here. To get an overview of sqlmap capabilities, a list of supported features, and a description of all options and switches, along with examples, you are advised to consult the user's manual.

Links

Translations

Comments
  • SQLmap and CVE-2014-1854

    SQLmap and CVE-2014-1854

    Hi,

    Attempting to fully exploit the following vulnerability with sqlmap: http://www.exploit-db.com/exploits/31834/

    You can download the Turnkey Wordpress appliance, then download the vulnerable version of adrotate here:

    http://downloads.wordpress.org/plugin/adrotate.3.9.4.zip

    Simply upload the zip and activate the plugin, you will be vulnerable. I can successfully exploit the SQLi using the PoC and various tinkerings. The fun thing about it is the SQLi result shows up in the Location header (and your HTTP code is 302, instead of 200 when it doesn't work). I have set --code=302 as well as --string='Location:', but I can't get SQLmap to detect it.

    You also must use --tamper=base64encode.

    A problem seems to be there is no body. The result of the first column selected in the payload is put in the Location header.

    opened by brandonprry 38
  • sqlmapapi prot question

    sqlmapapi prot question

    I would like to ask, sqlmapapi if activated will open a port, if I think this port can only visit a ip, sqlmap can be set up?If the port has been scanned, it means that others can access and use.

    enhancement normal miscellaneous 
    opened by M7lrv 28
  • Tor not working

    Tor not working

    can someone tell me, why I gets this error, when I use tor? In normal connecting without tor, all working.

    using python version 2.7
    sqlmap {1.0-dev-nongit-20150919}

    https://gyazo.com/e3ab8127d02ed761fe4723d2b17d43c4

    I use sqlmap.py -u "host" --dbs --tor --tor-type=SOCKS5 --tor-port=9150 --random-agent

    support 
    opened by Pablossoo 23
  • "sqlmap [CRITICAL] not authorized, try to provide right HTTP authentication type and valid credentials (401)"

    Hi Running sqlmap 1.0-dev, Kali linux up to date, tomcat 7, and latest WebGoat v5.4

    I can log into WebGoat via the browser http://localhost:8080/WebGoat-5.4/attack?Screen=153&menu=1100 with the login and password.

    I then tried to execute this:

    sqlmap -u "http://localhost:8080/WebGoat-5.4/attack?Screen=153&menu=1100" --banner --auth-type="Basic" --auth-cred="webgoat:webgoat"

    but it gives me:

    [*] starting at 17:11:09

    [17:11:09] [INFO] testing connection to the target URL [17:11:09] [CRITICAL] not authorized, try to provide right HTTP authentication type and valid credentials (401) [17:11:09] [CRITICAL] not authorized, try to provide right HTTP authentication type and valid credentials (401) [17:11:09] [WARNING] HTTP error codes detected during run: 401 (Unauthorized) - 1 times

    [*] shutting down at 17:11:09

    I did read the manual page and googled the terms “CRITICAL] not authorized, try to provide right HTTP authentication type and valid credentials” read some web sites, but still, I’m stumped. I have read the following links:

    https://github.com/sqlmapproject/sqlmap/issues/542 https://github.com/sqlmapproject/sqlmap/issues/125 http://tech4castblog.wordpress.com/2012/04/20/webgoat-http-authentication-type-and-valid-credentials-401-5/ (so is there a way to specify the port number 8080 to sqlmap? Shouldn’t sqlmap be able to figure out the port number since it’s specified in the URL?…is this the cause of error?)

    http://comments.gmane.org/gmane.comp.security.sqlmap/234

    the above came from the following google terms: “sqlmap [CRITICAL] not authorized, try to provide right HTTP authentication type and valid credentials (401)”

    Appreciate some help. Thanks. Gordon

    bug normal request 
    opened by gordonmasec 23
  • [CRITICAL] unable to retrieve the database names

    [CRITICAL] unable to retrieve the database names

    Hello! Why does not searchable database! I have changed in the Tour test comparison page

    C:\Python27\sqlmap>sqlmap.py -u "http://[REDACTED]/ksjh_list.aspx?year=2011"
    --level 5 --risk 3 --batch --tamper=between,charunicodeencode --dbs --dbms "Micr
    osoft SQL Server"
    
    
    
    [09:54:27] [WARNING] parameter length constraint mechanism detected (e.g. Suhosi
    n patch). Potential problems in enumeration phase can be expected
    GET parameter 'year' is vulnerable. Do you want to keep testing the others (if a
    ny)? [y/N] N
    sqlmap identified the following injection points with a total of 531 HTTP(s) req
    uests:
    
    ---
    Place: GET
    Parameter: year
        Type: boolean-based blind
        Title: AND boolean-based blind - WHERE or HAVING clause
        Payload: year=2011 AND 2168=2168
    
    ---
    [09:54:27] [WARNING] changes made by tampering scripts are not included in shown
     payload content(s)
    [09:54:27] [INFO] testing MySQL
    [09:54:27] [WARNING] the back-end DBMS is not MySQL
    [09:54:27] [INFO] testing Oracle
    [09:54:28] [WARNING] the back-end DBMS is not Oracle
    [09:54:28] [INFO] testing PostgreSQL
    [09:54:29] [WARNING] the back-end DBMS is not PostgreSQL
    [09:54:29] [INFO] testing Microsoft SQL Server
    [09:54:29] [INFO] confirming Microsoft SQL Server
    [09:54:31] [INFO] the back-end DBMS is Microsoft SQL Server
    web server operating system: Windows 2008
    web application technology: ASP.NET, Microsoft IIS 7.5, ASP.NET 2.0.50727
    back-end DBMS: Microsoft SQL Server 2008
    [09:54:31] [INFO] fetching database names
    [09:54:31] [INFO] fetching number of databases
    [09:54:31] [WARNING] running in a single-thread mode. Please consider usage of o
    ption '--threads' for faster data retrieval
    [09:54:31] [INFO] retrieved:
    [09:54:33] [WARNING] in case of continuous data retrieval problems you are advis
    ed to try a switch '--no-cast' or switch '--hex'
    [09:54:33] [ERROR] unable to retrieve the number of databases
    [09:54:33] [INFO] retrieved:
    [09:54:36] [INFO] falling back to current database
    [09:54:36] [INFO] fetching current database
    [09:54:36] [INFO] retrieved:
    [09:54:40] [CRITICAL] unable to retrieve the database names
    [09:54:40] [WARNING] HTTP error codes detected during run:
    404 (Not Found) - 145 times
    
    [*] shutting down at 09:54:40
    
    
    C:\Python27\sqlmap>
    
    invalid support 
    opened by aiongw 23
  • sqlmap missing mandatory options!

    sqlmap missing mandatory options!

    I wanted to start SQLmap on kali linux but i got the following error: sqlmap error: missing a mandatory option (-d, -u, -l , -m, -r, -g, -c, -x, --wizard, --update, --purge-output or --dependencies), use -h for basic or --h for advanced help.

    So i updated Kali Linux, still no fix. Then i downloaded it on windows with Python. still the same error...

    I hope you can help me.

    invalid 
    opened by dispater13 22
  • [CRITICAL] unable to execute operating system commands via the back-end DBMS

    [CRITICAL] unable to execute operating system commands via the back-end DBMS

    Hello, could you explain me pls what does it meen this error and what can i change in comnnad that this error delete. THANKS!

    ./sqlmap.py -u http://www.site.com/category.asp?category_id=6 --os-cmd -v l [00:54:07] [INFO] resuming back-end DBMS 'microsoft sql server' [00:54:07] [INFO] testing connection to the target URL

    sqlmap resumed the following injection point(s) from stored session:

    Parameter: category_id (GET) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause

    Payload: category_id=6 AND 2290=2290

    [00:54:08] [INFO] the back-end DBMS is Microsoft SQL Server web server operating system: Windows 2008 R2 or 7 web application technology: ASP.NET, Microsoft IIS 7.5, ASP back-end DBMS: Microsoft SQL Server 2008 [00:54:08] [CRITICAL] unable to execute operating system commands via the back-end DBMS

    [*] shutting down at 00:54:08

    support 
    opened by AVR1234 22
  • ridiculous sqlmap issue

    ridiculous sqlmap issue

    The number of times where I've had a straight forward injection and sqlmap has failed to exploit it is unbelievable.

    One example was with a parameter vulnerable to time based sql injection after the order by clause, so the payload would be: vulnerableparameter=2,sleep(2)

    Another payload that works is: vulnerableparameter=2,(select/**/sleep(10)/**/from/**/dual/**/where/**/2/**/=/**/5)

    and then sqlmap should expand on that to get database,tables names etc.. etc. If it tries to end the query, it will break e.g using # or -- or any other comments it will break, so I told sqlmap not to use any and since spaces are not allowed, I also made it use mysql comments.

    I've tried: sqlmap.py -u "http://example.com/?vulnerableparameter=2" -p "vulnerableparameter" --prefix="," --suffix="" --technique=T --dbs --dbms=mysql --level=5 --risk=3 --tamper=space2comment

    and unbelievably, it said it was not injectable, unreal.

    How can sqlmap fail to find such simple injections?

    invalid 
    opened by crossedz 22
  • Asynchronous RESTful API to interact with sqlmap engine

    Asynchronous RESTful API to interact with sqlmap engine

    Design and develop an asynchronous RESTful API to interact with sqlmap engine. This is useful to use/call sqlmap from custom scripts, web interface, third-party tools or similar as opposed to use it from command line or wrap it as in a call similar to os.popen('sqlmap...').

    This API will replace the XML-RPC service (#287).

    enhancement normal miscellaneous 
    opened by bdamele 22
  • Skip sqlmap waf testing

    Skip sqlmap waf testing

    When I try to start testing with sqlmap, sqlmap will send queries like these :

    1'tFmggO<'">AeQpzc

    1"(,..,'(,,

    And my target will response with error 500 and sqlmap will show me connection dropped

    I tested my target manualy and it is okey

    So how should I skip those two queries? Or in which files I can comment this lines?

    Regards

    opened by johnyjin 20
  • can't injection eg. id[*]=0

    can't injection eg. id[*]=0

    id[*]=0 I want to inject inside like this: id[' aNd select * from user#]=1 or this: id[' aNd select * from user#]=

    but.. sqlmap payload: id[' aNd select * from user# 從我的 MI6,使用 FastHub 發送。

    從我的 MI6,使用 FastHub 發送。

    support 
    opened by 687766616e 20
Releases(1.6)
Owner
sqlmapproject
sqlmapproject
An open source multi-tool for exploring and publishing data

Datasette An open source multi-tool for exploring and publishing data Datasette is a tool for exploring and publishing data. It helps people take data

Simon Willison 6.8k Jan 1, 2023
The command-line tool that gives easy access to all of the capabilities of B2 Cloud Storage

B2 Command Line Tool The command-line tool that gives easy access to all of the capabilities of B2 Cloud Storage. This program provides command-line a

Backblaze 467 Dec 8, 2022
Barman - Backup and Recovery Manager for PostgreSQL

Barman, Backup and Recovery Manager for PostgreSQL Barman (Backup and Recovery Manager) is an open-source administration tool for disaster recovery of

EDB 1.5k Dec 30, 2022
A generic JSON document store with sharing and synchronisation capabilities.

Kinto Kinto is a minimalist JSON storage service with synchronisation and sharing abilities. Online documentation Tutorial Issue tracker Contributing

Kinto 4.2k Dec 26, 2022
A Terminal Client for MySQL with AutoCompletion and Syntax Highlighting.

mycli A command line client for MySQL that can do auto-completion and syntax highlighting. HomePage: http://mycli.net Documentation: http://mycli.net/

dbcli 10.7k Jan 7, 2023
Postgres CLI with autocompletion and syntax highlighting

A REPL for Postgres This is a postgres client that does auto-completion and syntax highlighting. Home Page: http://pgcli.com MySQL Equivalent: http://

dbcli 10.8k Dec 30, 2022
Automatic SQL injection and database takeover tool

sqlmap sqlmap is an open source penetration testing tool that automates the process of detecting and exploiting SQL injection flaws and taking over of

sqlmapproject 25.7k Jan 8, 2023
Automatic SQL injection and database takeover tool

sqlmap sqlmap is an open source penetration testing tool that automates the process of detecting and exploiting SQL injection flaws and taking over of

sqlmapproject 25.7k Jan 2, 2023
Caretaker 2 Jun 6, 2022
PyPika is a python SQL query builder that exposes the full richness of the SQL language using a syntax that reflects the resulting query. PyPika excels at all sorts of SQL queries but is especially useful for data analysis.

PyPika - Python Query Builder Abstract What is PyPika? PyPika is a Python API for building SQL queries. The motivation behind PyPika is to provide a s

KAYAK 1.9k Jan 4, 2023
A blind SQL injection script that uses binary search aka bisection method to dump datas from database.

Blind SQL Injection I wrote this script to solve PortSwigger Web Security Academy's particular Blind SQL injection with conditional responses lab. Bec

Şefik Efe 2 Oct 29, 2022
WebScan is a web vulnerability Scanning tool, which scans sites for SQL injection and XSS vulnerabilities

WebScan is a web vulnerability Scanning tool, which scans sites for SQL injection and XSS vulnerabilities Which is a great tool for web pentesters. Coded in python3, CLI. WebScan is capable of scanning and detecting sql injection vulnerabilities across HTTP and HTTP sites.

AnonyminHack5 12 Dec 2, 2022
Aiminsun 165 Dec 21, 2022
A script based on sqlmap that uses sql injection vulnerabilities to traverse the existence of a file

A script based on sqlmap that uses sql injection vulnerabilities to traverse the existence o

null 2 Nov 9, 2022
Sqli-Scanner is a python3 script written to scan websites for SQL injection vulnerabilities

Sqli-Scanner is a python3 script written to scan websites for SQL injection vulnerabilities Features 1 Scan one website 2 Scan multiple websites Insta

Anontemitayo 9 Dec 30, 2022
CVE-2022-23046 - SQL Injection Vulnerability on PhpIPAM v1.4.4

CVE-2022-23046 PhpIPAM v1.4.4 allows an authenticated admin user to inject SQL s

null 2 Feb 15, 2022
Protect against subdomain takeover

domain-protect scans Amazon Route53 across an AWS Organization for domain records vulnerable to takeover deploy to security audit account scan your en

OVO Technology 0 Nov 17, 2022
This automation protect against subdomain takeover on AWS env which also send alerts on slack.

AWS_Subdomain_Takeover_Detector Purpose The purpose of this automation is to detect misconfigured Route53 entries which are vulnerable to subdomain ta

Puneet Kumar Maurya 8 May 18, 2022
Soda SQL Data testing, monitoring and profiling for SQL accessible data.

Soda SQL Data testing, monitoring and profiling for SQL accessible data. What does Soda SQL do? Soda SQL allows you to Stop your pipeline when bad dat

Soda Data Monitoring 51 Jan 1, 2023