sqlmap | Alban Beluli

Overview

sqlmap is an open-source SQL injection automation framework focused on detection, fingerprinting, enumeration, and exploitation of injectable parameters. The useful way to learn it is not by memorizing every flag, but by understanding a clean workflow: define the target, confirm the injectable parameter, enumerate only what you need, and avoid running high-impact options blindly.

What sqlmap Is For

sqlmap automates common SQL injection tasks:

Detecting whether a parameter is injectable.
Identifying the backend DBMS.
Enumerating databases, tables, columns, and data.
Testing specific techniques such as boolean, error, union, or time-based injection.
In some cases, escalating toward file read, file write, or OS-level interaction when the DBMS and environment allow it.

Installation

Kali usually ships with sqlmap already installed. Otherwise, install it from the official project:

https://github.com/sqlmapproject/sqlmap

Basic help:

sqlmap -h
sqlmap -hh

Core Flags That Matter

-u: target URL.
-r: raw HTTP request file.
-p: test only the specified parameter.
--data: define POST body directly.
--cookie: provide session cookies if needed.
--level: broaden how many entry points and tests are used.
--risk: increase payload aggressiveness.
--dbs: enumerate database names.
--tables: enumerate table names.
--columns: enumerate column names.
--dump: dump table rows.
-D, -T, -C: scope enumeration to a database, table, or column.
--batch: avoid interactive prompts.
--flush-session: clear cached sqlmap state for the target.

Safe Workflow

A disciplined sqlmap workflow usually looks like this:

Start with the exact request you already know is interesting.
Restrict testing to the suspected parameter with -p.
Let sqlmap identify the DBMS before widening scope.
Enumerate databases, then tables, then columns, then specific data.
Only use filesystem or OS-level flags if you have a clear reason and authorization.

Simple GET Example

For a classic GET parameter:

sqlmap -u "https://testsite.com/page.php?id=7" --dbs

This tells sqlmap to test the URL and enumerate available databases if injection succeeds.

Simple POST Example

For POST requests, the most reliable method is usually to save the full raw request from your proxy and feed that to sqlmap.

POST /blood/nl-search.php HTTP/1.1
Host: 10.10.17.116
Content-Type: application/x-www-form-urlencoded
Cookie: PHPSESSID=bt0q6qk024tmac6m4jkbh8l1h4

blood_group=B%2B

If blood_group is the parameter you want to test:

sqlmap -r req.txt -p blood_group --dbs

This is more precise than throwing sqlmap at the whole site and hoping it finds something useful.

Database Enumeration Sequence

Once injection is confirmed, enumerate in order.

1. List Databases

sqlmap -r req.txt -p blood_group --dbs

2. List Tables in One Database

sqlmap -r req.txt -p blood_group -D blood --tables

3. List Columns in One Table

sqlmap -r req.txt -p blood_group -D blood -T donors --columns

4. Dump Specific Data

sqlmap -r req.txt -p blood_group -D blood -T donors --dump

Useful Precision Controls

Restrict the parameter: use -p instead of testing every field.
Control payload scope: raise --level and --risk only when needed.
Control techniques: if time-based payloads cause instability, narrow --technique.
Clear old cache: use --flush-session when you need a fresh run.

Example: if time-based testing makes the app unstable, rerun with a narrower technique set instead of letting sqlmap keep hammering slow payloads.

OS-Level Options

sqlmap includes high-impact switches such as:

--os-shell
--os-cmd
--os-pwn

These are not routine enumeration features. They depend heavily on DBMS privileges, OS setup, and exploitation preconditions. Treat them as escalation steps, not default options.

Operational Notes

Use a valid authenticated request if the vulnerable functionality requires login.
Expect sqlmap to resume prior findings unless you clear them.
Read the output carefully instead of blindly accepting every prompt.
Do not jump straight to --dump-all unless you actually need everything.

Key Takeaways

sqlmap is most effective when fed a known-good request and a narrow parameter target.
The clean sequence is: detect, fingerprint, enumerate DBs, enumerate tables, enumerate columns, dump selected data.
-r plus -p is often the best combination for real assessments.
High-impact flags exist, but they should be used deliberately, not by default.
Precision matters more than running the biggest possible command.