mirror of
https://github.com/sqlmapproject/sqlmap.git
synced 2026-07-02 14:32:08 +00:00
No results
6
Techniques
Miroslav Stampar edited this page 2026-06-30 15:04:41 +02:00
Table of Contents
Techniques
sqlmap is able to detect and exploit six different SQL injection types:
- Boolean-based blind: sqlmap replaces or appends to the affected parameter in the HTTP request, a syntactically valid SQL statement string containing a
SELECTsub-statement, or any other SQL statement whose the user want to retrieve the output. For each HTTP response, by making a comparison between the HTTP response headers/body with the original request, the tool inference the output of the injected statement character by character. Alternatively, the user can provide a string or regular expression to match on True pages. The bisection algorithm implemented in sqlmap to perform this technique is able to fetch each character of the output with a maximum of seven HTTP requests. Where the output is not within the clear-text plain charset, sqlmap will adapt the algorithm with bigger ranges to detect the output. - Time-based blind: sqlmap replaces or appends to the affected parameter in the HTTP request, a syntactically valid SQL statement string containing a query which put on hold the back-end DBMS to return for a certain number of seconds. For each HTTP response, by making a comparison between the HTTP response time with the original request, the tool inference the output of the injected statement character by character. Like for boolean-based technique, the bisection algorithm is applied.
- Error-based: sqlmap replaces or appends to the affected parameter a database-specific error message provoking statement and parses the HTTP response headers and body in search of DBMS error messages containing the injected pre-defined chain of characters and the subquery statement output within. This technique works only when the web application has been configured to disclose back-end database management system error messages.
- UNION query-based: sqlmap appends to the affected parameter a syntactically valid SQL statement starting with an
UNION ALL SELECT. This technique works when the web application page passes directly the output of theSELECTstatement within aforloop, or similar, so that each line of the query output is printed on the page content. sqlmap is also able to exploit partial (single entry) UNION query SQL injection vulnerabilities which occur when the output of the statement is not cycled in aforconstruct, whereas only the first entry of the query output is displayed. - Stacked queries, also known as piggy backing: sqlmap tests if the web application supports stacked queries and then, in case it does support, it appends to the affected
parameter in the HTTP request, a semi-colon (
;) followed by the SQL statement to be executed. This technique is useful to run SQL statements other thanSELECT, like for instance, data definition or data manipulation statements, possibly leading to file system read and write access and operating system command execution depending on the underlying back-end database management system and the session user privileges. - Inline queries: sqlmap embeds the injected statement inside the original (sub)query (e.g.
SELECT (SELECT <injected>) FROM ...), so that the output of the embedded statement is returned in-band within the page response. This is useful when the affected parameter sits in a position where a nestedSELECTis evaluated and reflected.
Besides classic SQL injection, sqlmap is also able to detect and exploit several other server-side injection types. Each one is self-contained: it confirms the injection and extracts what that particular vector can reach, so the database, table, user and banner enumeration described for SQL injection does not apply to these.
- NoSQL injection: sqlmap injects operators (MongoDB and CouchDB
$-operators), Lucenequery_stringsyntax (Elasticsearch and Solr), Cypher/N1QL/AQL string break-outs and MongoDB$wheretime-based payloads, also catching error-based cases. On a confirmed parameter it dumps the records exposed in-band by an always-true payload and blindly recovers the targeted field character by character. - GraphQL injection: sqlmap locates the GraphQL endpoint, recovers the schema through introspection or, when introspection is disabled, through field-suggestion inference, enumerates the injectable query and mutation argument slots, confirms a boolean-based oracle, exposes in-band data, fingerprints the back-end database management system and dumps the reachable tables.
- LDAP injection: sqlmap breaks out of the application's LDAP search filter and recovers directory attributes character by character through a boolean-based oracle.
- XPath injection: sqlmap breaks out of an XPath/XQuery expression and walks the back-end XML document blindly, retrieving its content character by character.
- Server-Side Template Injection: sqlmap fingerprints the underlying template engine (such as Jinja2, Mako, Twig, ERB, Pug, Handlebars, Thymeleaf, FreeMarker and Velocity) and, where the engine allows it, executes arbitrary operating system commands on the underlying server.
Contents
User's manual
- Introduction - Introductory to sqlmap
- Techniques - SQLi techniques supported by sqlmap
- Features - Brief list of supported features
- Download and update - Keep your copy up-to-date
- Dependencies - Information about used third-party libraries and tools
- History - History from 2006 to 2026
- Usage - Exhaustive breakdown of all options and switches together with examples
- REST API - Using
sqlmapapi.pyfor programmatic integration and automation - License - Copyright information
Miscellaneous
- FAQ - Frequently Asked Questions
- Presentations - Materials from sqlmap team presented at conferences
- Screenshots - Collection of screenshots demonstrating some of features
- Third party libraries - Detailed information about third-party libraries and tools used by sqlmap