# sqlmapproject/sqlmap **Attribution required: if you use, quote, or summarise this content, you must credit and link back to [awesome-repositories.com](https://awesome-repositories.com/repository/sqlmapproject-sqlmap).** 36,641 stars · 6,200 forks · Python · other ## Links - GitHub: https://github.com/sqlmapproject/sqlmap - Homepage: http://sqlmap.org - awesome-repositories: https://awesome-repositories.com/repository/sqlmapproject-sqlmap.md ## Topics `database` `detection` `exploitation` `pentesting` `python` `sql-injection` `sqlmap` `takeover` `vulnerability-scanner` ## Description This project is an automated security testing suite designed to detect and exploit database vulnerabilities. It functions as a command-line utility that streamlines the identification, verification, and exploitation of web application flaws by automating the injection of malicious payloads into input parameters. The tool provides a comprehensive framework for database enumeration, allowing users to extract schema information, user data, and system configurations from identified injection points. What distinguishes this tool is its sophisticated engine for dynamic payload adaptation and heuristic fingerprinting, which adjusts injection techniques in real-time based on server responses. It supports advanced post-exploitation capabilities, including remote command execution on the underlying host operating system and file system access through database-level vulnerabilities. To navigate restricted environments, the software incorporates out-of-band data exfiltration channels and a middleware pipeline for applying user-defined transformations to bypass security filters and web application firewalls. The suite covers a broad range of operational requirements, including stateful session management, anti-CSRF token handling, and extensive request customization. It supports various target specification methods, such as proxy log analysis and remote API management, while offering granular control over scan performance and detection thresholds. The software is distributed as a command-line application, with configuration management supported through external file loading and command-line arguments. ## Tags ### Security & Cryptography - [SQL Injection Tools](https://awesome-repositories.com/f/security-cryptography/sql-injection-tools.md) — Detects and exploits database vulnerabilities by automating malicious payload injection. - [Injection Engines](https://awesome-repositories.com/f/security-cryptography/injection-engines.md) — Generates and iterates through specialized SQL payloads to identify database vulnerabilities. - [System Command Executors](https://awesome-repositories.com/f/security-cryptography/system-command-executors.md) — Executes arbitrary system commands on a database server by leveraging database vulnerabilities. ([source](https://github.com/sqlmapproject/sqlmap/wiki/Usage)) - [Database Auditing Tools](https://awesome-repositories.com/f/security-cryptography/database-auditing-tools.md) — Extracts sensitive information and evaluates database configurations to identify security risks. - [Database File Accessors](https://awesome-repositories.com/f/security-cryptography/database-file-accessors.md) — Reads or uploads files on a database server by abusing administrative database functionalities. ([source](https://github.com/sqlmapproject/sqlmap/wiki/Usage)) - [Injection Testing Tools](https://awesome-repositories.com/f/security-cryptography/injection-testing-tools.md) — Adjusts injection payloads and timing based on real-time server response analysis. - [Remote Execution Tools](https://awesome-repositories.com/f/security-cryptography/remote-execution-tools.md) — Leverages database vulnerabilities to execute arbitrary system commands on the host. - [Vulnerability Scanning Utilities](https://awesome-repositories.com/f/security-cryptography/vulnerability-scanning-utilities.md) — Automates the extraction and handling of anti-forgery tokens to maintain session continuity during security testing. ([source](https://github.com/sqlmapproject/sqlmap/wiki/Usage)) - [Data Exfiltration Tools](https://awesome-repositories.com/f/security-cryptography/data-exfiltration-tools.md) — Retrieves data from restricted environments using alternative communication channels. - [Exfiltration Channels](https://awesome-repositories.com/f/security-cryptography/exfiltration-channels.md) — Uses secondary protocols like DNS to retrieve data when direct HTTP responses are blocked. - [Function Injection Tools](https://awesome-repositories.com/f/security-cryptography/function-injection-tools.md) — Uploads shared libraries to execute custom user-defined functions within the database. ([source](https://github.com/sqlmapproject/sqlmap/wiki/Usage)) - [Request Tampering Middleware](https://awesome-repositories.com/f/security-cryptography/request-tampering-middleware.md) — Applies user-defined transformations to HTTP requests to bypass security filters and firewalls. - [Security Scripting Frameworks](https://awesome-repositories.com/f/security-cryptography/security-scripting-frameworks.md) — Executes custom scripts to dynamically generate or modify request parameters for complex security testing scenarios. ([source](https://github.com/sqlmapproject/sqlmap/wiki/Usage)) - [Session Management Tools](https://awesome-repositories.com/f/security-cryptography/session-management-tools.md) — Maintains cookies and authentication tokens to ensure consistent interaction with target applications. - [System Fingerprinting Tools](https://awesome-repositories.com/f/security-cryptography/system-fingerprinting-tools.md) — Analyzes server responses to identify underlying database technology and operating systems. - [Fingerprinting Utilities](https://awesome-repositories.com/f/security-cryptography/fingerprinting-utilities.md) — Identifies database versions and configurations by analyzing server responses and error messages. - [Vulnerability Monitoring Systems](https://awesome-repositories.com/f/security-cryptography/vulnerability-monitoring-systems.md) — Provides audible alerts upon the successful detection of injection vulnerabilities to facilitate efficient monitoring. ([source](https://github.com/sqlmapproject/sqlmap/wiki/Usage)) ### Testing & Quality Assurance - [Injection Testers](https://awesome-repositories.com/f/testing-quality-assurance/injection-testers.md) — Applies custom payloads and tampering scripts to verify the presence of injection vulnerabilities. ([source](https://github.com/sqlmapproject/sqlmap/wiki/Usage)) - [Penetration Testing Frameworks](https://awesome-repositories.com/f/testing-quality-assurance/penetration-testing-frameworks.md) — Streamlines the discovery and exploitation of security weaknesses in network-facing applications. - [Vulnerability Assessment Tools](https://awesome-repositories.com/f/testing-quality-assurance/vulnerability-assessment-tools.md) — Automatically tests input fields to identify and verify database injection vulnerabilities. - [Time-Based Injection Testers](https://awesome-repositories.com/f/testing-quality-assurance/time-based-injection-testers.md) — Sets response delays to accurately detect database responses during time-based blind injection attacks. ([source](https://github.com/sqlmapproject/sqlmap/wiki/Usage)) - [Union-Based Injection Testers](https://awesome-repositories.com/f/testing-quality-assurance/union-based-injection-testers.md) — Tests custom column ranges during union-based injection attacks to improve data retrieval accuracy. ([source](https://github.com/sqlmapproject/sqlmap/wiki/Usage)) - [Second-Order Injection Testers](https://awesome-repositories.com/f/testing-quality-assurance/second-order-injection-testers.md) — Verifies second-order injection by monitoring secondary URLs where payloads are eventually reflected. ([source](https://github.com/sqlmapproject/sqlmap/wiki/Usage)) - [Proxy Log Analyzers](https://awesome-repositories.com/f/testing-quality-assurance/proxy-log-analyzers.md) — Identifies potential injection points by analyzing HTTP requests captured in external proxy logs. ([source](https://github.com/sqlmapproject/sqlmap/wiki/Usage)) - [Performance Optimizers](https://awesome-repositories.com/f/testing-quality-assurance/performance-optimizers.md) — Improves data retrieval speed during security scans using persistent connections and concurrent processing. ([source](https://github.com/sqlmapproject/sqlmap/wiki/Usage)) ### Data & Databases - [Database Enumerators](https://awesome-repositories.com/f/data-databases/database-enumerators.md) — Extracts users, tables, columns, and data from database management systems to verify access. ([source](https://github.com/sqlmapproject/sqlmap/wiki/Usage)) - [Database Enumeration Tools](https://awesome-repositories.com/f/data-databases/database-enumeration-tools.md) — Extracts schema information, user data, and system configurations from databases. - [Database Fingerprinters](https://awesome-repositories.com/f/data-databases/database-fingerprinters.md) — Identifies database versions and operating systems by analyzing SQL dialects and error messages. ([source](https://github.com/sqlmapproject/sqlmap/wiki/Usage)) - [Target Discovery Tools](https://awesome-repositories.com/f/data-databases/target-discovery-tools.md) — Defines target databases or URLs using connection strings, proxy logs, and raw request data. ([source](https://github.com/sqlmapproject/sqlmap/wiki/Usage)) - [Schema Brute-Forcers](https://awesome-repositories.com/f/data-databases/schema-brute-forcers.md) — Identifies hidden table or column names through brute-force techniques when standard methods fail. ([source](https://github.com/sqlmapproject/sqlmap/wiki/Usage)) ### Development Tools & Productivity - [Security Automation Suites](https://awesome-repositories.com/f/development-tools-productivity/security-automation-suites.md) — Streamlines identification, verification, and exploitation of vulnerabilities through configurable workflows. ### Web Development - [URL Targeters](https://awesome-repositories.com/f/web-development/url-targeters.md) — Executes automated security tests against specific web addresses including protocol and port details. ([source](https://github.com/sqlmapproject/sqlmap/wiki/Usage)) - [HTTP Request Managers](https://awesome-repositories.com/f/web-development/http-request-managers.md) — Manages headers, cookies, and connection settings to ensure successful communication with target applications. ([source](https://github.com/sqlmapproject/sqlmap/wiki/Usage)) ### Networking & Communication - [DNS Exfiltration Tools](https://awesome-repositories.com/f/networking-communication/dns-exfiltration-tools.md) — Retrieves data through controlled DNS domain servers to bypass network filters. ([source](https://github.com/sqlmapproject/sqlmap/wiki/Usage))