SQLMAP is an open-source penetration tool. SQLMAP allows you to automate the process of identifying and then exploiting SQL injection flaws and subsequently taking control of the database servers. In addition, SQLMAP comes with a detection engine that includes advanced features to support penetration testing.
Threat actors use the Structured Query Language (SQL) to inject commands that can compromise the original query and then read or modify database records. There may be fields designed by the software developers where the submission of an expanded result in SQL syntax will enable access to passwords or other sensitive information. SQLi attacks may allow access to data from anywhere within the database. Depending on the nature of the attack, the threat actor may be able to change or delete this data.
SQLi examples include manipulation of the basic SQL functionality. Manipulations can consist of retrieving confidential data, whereby an SQL query is modified to return additional data. A union SQLi attack accesses and retrieves data from multiple database tables. An SQLi attack interferes with basic application logic such that the query can interfere with the execution of an application. An SQLi attack can result in access to passwords, personal information, credit card, and other financial details. Using SQLi, a threat actor can bypass authentication and access, delete, or modify data within exploited databases. SQLi attacks can also be used to execute operating system-level commands. Executing OS-level commands would allow a threat actor to escalate the attacks further.
SQLMAP provides:
SQLMAP provides full support for SQL injection techniques, including stacked queries, time-based blind, error-based, UNION query-based, and boolean-based blind.
SQLMAP was developed in Python, a dynamic, object-oriented, interpreted programming language. This design makes SQLMAP a cross-platform application independent of the operating system. SQLMAP requires Python version 2.6, 2.7, or 3. x. SQLMAP relies on the Metasploit Framework for some of its post-exploitation features.
SQLMAP is free software that can be redistributed under the terms of the GNU General Public License. This open-source software is published by the Free Software Foundation, Version 2 or later, with the clarifications and exceptions described in the license file. The license grants a right to use, modify and redistribute the software under certain conditions. Organizations wishing to embed SQLMAP technology into proprietary software licenses should be purchased through sales@sqlmap.org.
The current version, v1.6, was released on January 3, 2022. This followed version v1.5 which was released on January 3, 2021.
Want to learn more? Check out our FREE Bugcrowd University to sharpen your hacking skills.
Organizations the world over need your help! Join our researcher community to connect with hundreds of organization programs focused on finding their security vulnerabilities. Our vast directory includes programs for all skill levels, across many industries and from around the world.
Hackers aren’t waiting, so why should you? See how Bugcrowd can quickly improve your security posture.