sqlmap: a SQL injection tool

News

29th of November 2007: I am planning to work on a graphical users interface for sqlmap, if you want to contribute please contact me by email.
21st of November 2007: added donations support with PayPal and screenshots.
6th of November 2007: some people asked me to publish a ZIP compressed sqlmap package, so here it is.
4th of November 2007: sqlmap 0.5 is out, download it!
23rd of October 2007: added support for Oracle database management system
22nd of October 2007: sqlmap 0.5 coming soon, take a look at the ChangeLog. New documentation file (HTML and PDF)

Introduction

sqlmap is an automatic SQL injection tool entirely developed in Python. It is capable to perform an extensive database management system back-end fingerprint, retrieve remote DBMS databases, usernames, tables, columns, enumerate entire DBMS, read system files and much more taking advantage of web application programming security flaws that lead to SQL injection vulnerabilities.

Features

Here is a list of major features implemented in sqlmap:

Full support for MySQL, Oracle, PostgreSQL and Microsoft SQL Server database management system back-end. Besides these four DBMS, sqlmap can also identify Microsoft Access, DB2, Informix and Sybase;
Extensive database management system back-end fingerprint based upon:
- Inband DBMS error messages
- DBMS banner parsing
- DBMS functions output comparison
- DBMS specific features such as MySQL comment injection
- Passive SQL injection fuzzing
It fully supports two SQL injection techniques:
- Blind SQL injection, also known as Inference SQL injection
- Inband SQL injection, also known as UNION query SQL injection
and it partially supports error based SQL injection as one of the vectors for database management system fingerprint;
It automatically tests all provided GET, POST, Cookie and User-Agent parameters to find dynamic ones. On these it automatically tests and detects the ones affected by SQL injection. Moreover each dynamic parameter is tested for numeric, single quoted string, double quoted string and all of these three type with one and two brackets to find which is the valid syntax to perform further injections with;
It is possible to provide the name of the only parameter(s) that you want to perform tests and use for injection on, being them GET, POST, Cookie parameters;
SQL injection testing and detection does not depend upon the web application database management system back-end. SQL injection exploiting and query syntax obviously depend upon the web application database management system back-end;
It recognizes valid queries by false ones based upon HTML output page hashes comparison by default, but it is also possible to choose to perform such test based upon string matching;
HTTP requests can be performed in both HTTP method GET and POST (default: GET);
It is possible to perform HTTP requests using a HTTP User-Agent header string randomly selected from a text file;
It is possible to provide a HTTP Cookie header string, useful when the web application requires authentication based upon cookies and you have such data;
It is possible to provide an anonymous HTTP proxy address and port to pass by the HTTP requests to the target URL;
It is possible to provide the remote DBMS back-end if you already know it making sqlmap save some time to fingerprint it;
It supports various command line options to get database management system banner, current DBMS user, current DBMS database, enumerate users, users password hashes, databases, tables, columns, dump tables entries, dump the entire DBMS, retrieve an arbitrary file content (if the remote DBMS is MySQL) and provide your own SQL SELECT statement to be evaluated;
It is possible to make sqlmap automatically detect if the affected parameter is also affected by an UNION query SQL injection and, in such case, to use it to exploit the vulnerability;
It is possible to exclude system databases when enumerating tables, useful when dumping the entire DBMS databases tables entries and you want to skip the default DBMS data;
It is possible to view the Estimated time of arrival for each query output, updated in real time while performing the SQL injection attack;
Support to increase the verbosity level of output messages;
It is possible to save queries performed and their retrieved value in real time on an output text file and continue the injection resuming from such file in a second time;
PHP setting magic_quotes_gpc bypass by encoding every query string, between single quotes, with CHAR (or similar) DBMS specific function.

Documentation

Download

sqlmap can be downloaded from its SourceForge File List page and the development release from its SourceForge Subversion repository that can be surfed with the web browser or accessed to download sqlmap:

$ svn checkout https://sqlmap.svn.sourceforge.net/svnroot/sqlmap sqlmap

Whatever way you downloaded sqlmap, just run svn update in its root directory (where there is the main file, sqlmap.py) to synchronize with the SVN repository retrieving its source code updates on your working copy to assure that you are going to run the latest version of the program.

Further information about the usage of SourceForge Subversion repository can be found here.