Projects / sqlmap


sqlmap is a penetration testing tool that automates the process of detecting and exploiting SQL injection flaws and taking over of database servers. It comes with a detection engine, many niche features, and a broad range of switches including database fingerprinting, data fetching from the database, and accessing the underlying file system and executing commands on the operating system via out-of-band connections.

Operating Systems

Recent releases

  •  11 Apr 2011 01:40

    Release Notes: This release features a totally rewritten and powerful SQL injection detection engine, the ability to connect directly to a database server, support for time-based blind SQL injection and error-based SQL injection, support for four new database management systems, and much more.

    •  15 Mar 2010 02:15

      Release Notes: Support was added for enumerating and dumping all databases' tables containing user provided column(s). This can be useful to identify, for instance, tables containing custom application credentials. --priv-esc was enhanced to rely on new Metasploit Meterpreter's "getsystem" command to elevate privileges of the user running the back-end DBMS instance to SYSTEM on Windows. Much more was done.

      •  25 Jul 2009 17:30

        Release Notes: Metasploit wrapping functions were adapted to work with the latest 3.3 development version too. The code was adjusted to make sqlmap 0.7 work on Mac OS X again. The takeover OOB features (if any of --os-pwn, --os-smbrelay or --os-bof is selected) are reset when running under Windows because msfconsole and msfcli are not supported on the native Windows Ruby interpreter. This makes sqlmap 0.7 work on Windows again. A minor improvement was made so that sqlmap also tests all parameters with no value. Many bugs were fixed.

        •  05 Feb 2009 05:36

          Release Notes: A major enhancement was implemented to make the comparison algorithm work properly on URLs that are not stable by using the difflib Sequence Matcher object. A major enhancement was done to support SQL data definition statements, SQL data manipulation statements, et cetera from the user in SQL query and SQL shell if stacked queries are supported by the Web application technology. A major speed increase was made in DBMS basic fingerprint.

          •  29 Oct 2008 13:01

            Release Notes: A major bugfix was made to the blind SQL injection bisection algorithm to handle an exception. A Metasploit Framework 3 auxiliary module was added to run sqlmap. The possibility to test for and inject also on LIKE statements was implemented.


            Project Spotlight


            A Fluent OpenStack client API for Java.


            Project Spotlight

            TurnKey TWiki Appliance

            A TWiki appliance that is easy to use and lightweight.