SQLMap is the industry-standard tool for detecting and exploiting SQL injection vulnerabilities in authorized penetration tests. When used correctly — as a post-discovery stage in a structured offensive workflow — it transforms manual injection testing from hours of labor into a reproducible, auditable automated process. This guide covers practitioner-grade SQLMap automation: how to target parameters precisely, configure tamper scripts, control threading, manage output, and chain SQLMap with upstream tools like FFUF and Nuclei.
Modern web applications expose hundreds of endpoints across subdomains, APIs, and legacy paths. Manually testing each parameter for SQL injection is not feasible when a target scope includes dozens of hosts. The failure modes of ad-hoc testing are well understood by anyone who has run a real engagement:
The correct architecture treats SQLMap not as a weapon fired at a target, but as a post-discovery validation stage that runs precisely against parameters already confirmed to exist and accept user input. PhantomRed offensive workflow pipelines are built around this principle: every tool runs at the right stage, against validated input, with structured output.
Automation solves the scale and consistency problems while adding a layer of operational discipline that manual testing rarely achieves. Specifically, a structured SQLMap automation workflow provides:
The shift from manual to automated SQLMap usage is not about removing human judgment — it is about reserving human judgment for the stages that require it: parameter selection, payload tuning, and result interpretation.
The following pipeline reflects a real post-discovery SQLMap automation chain. Each stage produces output that feeds directly into the next.
⚠ SQLMap should only run against endpoints validated to be in scope and confirmed to accept user-controlled input. Never point SQLMap at a URL list without manual review first.
Begin with subdomain enumeration and HTTP probing to build a list of live, reachable hosts within scope.
# Enumerate subdomains and probe for live HTTP services subfinder -d target.com -silent | httpx -silent -status-code -no-color \ | grep "200\|301\|302\|403" \ | awk '{print $1}' > live_hosts.txt
Use Katana or FFUF to crawl live hosts and surface URLs that contain query parameters. Parameters are the injection surface — without this step, SQLMap has nothing precise to target. PhantomRed workflow scripts commonly chain this stage directly into the parameter validation step, passing only confirmed parameterized URLs downstream.
# Crawl with Katana and filter for parameterized URLs katana -list live_hosts.txt -silent -jc -kf all \ | grep "=" \ | sort -u > parameterized_urls.txt # Optional: use Arjun for deeper parameter mining arjun -i live_hosts.txt -oJ arjun_params.json --stable
Before running SQLMap, review parameterized_urls.txt and remove any endpoints outside your authorized scope, admin paths you are not cleared to test, and any URLs with parameters that clearly do not accept DB-backed input (e.g., static asset paths, tracking pixels). This review step is non-negotiable.
Start with a single high-confidence endpoint before running batch mode. This confirms your flags are correct and lets you observe detection behavior before scaling up.
# Production-ready SQLMap command with full flag explanation below sqlmap \ -u "https://target.com/search?q=test&category=1" \ --batch \ --level=3 \ --risk=2 \ --threads=2 \ --delay=1 \ --timeout=30 \ --random-agent \ --output-dir="./sqlmap-output/target.com" \ --forms \ -v 1
Flag breakdown:
--level=3 — Tests depth: covers GET/POST params (1), cookies (2), and HTTP headers (3). Level 5 adds User-Agent and Referer. Start at 3 for most engagements.
--risk=2 — Payload aggressiveness: risk 1 uses safe payloads only, risk 2 adds heavy time-based tests but avoids UPDATE payloads that could modify data, risk 3 enables OR-based tests that carry data integrity risk. Use 2 as your default.
--threads=2 — Concurrent requests. Keep at 1–3 for sensitive targets. Higher values speed up detection but increase WAF trigger probability and server load.
--delay=1 — Seconds between requests. Combined with threads, this keeps your request rate predictable and within program rules.
--timeout=30 — Per-request timeout. Prevents SQLMap from hanging on slow or unresponsive endpoints.
--batch — Auto-accepts all prompts. Essential for any scripted or unattended run. Without this, SQLMap pauses for user input mid-scan.
For authenticated endpoints, POST requests, or APIs with custom headers, capture the raw HTTP request in Burp Suite or with curl -v and pass it to SQLMap with the -r flag. This is the most reliable method for complex targets.
# Save raw HTTP request to a file (e.g., from Burp Suite Repeater) # request.txt content: # POST /api/v1/search HTTP/1.1 # Host: target.com # Authorization: Bearer <token> # Content-Type: application/json # # {"query":"test","category":1} sqlmap \ -r request.txt \ --batch \ --level=3 \ --risk=2 \ --threads=2 \ --delay=1 \ --random-agent \ --tamper="space2comment,between" \ --output-dir="./sqlmap-output/api-endpoint" \ -v 1
Once single-target testing is confirmed to work correctly, loop over the validated URL list. Add per-host output directories and logging.
#!/usr/bin/env bash # SQLMap batch execution — authorized targets only # Usage: ./sqlmap-batch.sh parameterized_urls.txt set -euo pipefail OUT_DIR="./sqlmap-output" URL_LIST="${1:-parameterized_urls.txt}" LOG_FILE="${OUT_DIR}/batch-run.log" TIMESTAMP=$(date +%Y%m%d_%H%M%S) mkdir -p "${OUT_DIR}" echo "[${TIMESTAMP}] Starting batch SQLMap run" | tee "${LOG_FILE}" echo "[${TIMESTAMP}] Target list: ${URL_LIST}" | tee -a "${LOG_FILE}" while IFS= read -r URL; do if [[ -z "${URL}" || "${URL}" == \#* ]]; then continue; fi HOST=$(echo "${URL}" | awk -F/ '{print $3}') HOST_DIR="${OUT_DIR}/${HOST}" mkdir -p "${HOST_DIR}" echo "[$(date +%H:%M:%S)] Testing: ${URL}" | tee -a "${LOG_FILE}" sqlmap \ -u "${URL}" \ --batch \ --level=3 \ --risk=2 \ --threads=2 \ --delay=1 \ --random-agent \ --output-dir="${HOST_DIR}" \ -v 1 \ 2>&1 | tee -a "${LOG_FILE}" echo "[$(date +%H:%M:%S)] Done: ${URL}" | tee -a "${LOG_FILE}" done < "${URL_LIST}" echo "[$(date +%H:%M:%S)] Batch run complete. Output in: ${OUT_DIR}" | tee -a "${LOG_FILE}"
When a target has a WAF or application-level input filter blocking standard SQLMap payloads, tamper scripts modify the injection syntax before it is sent. The table below covers the most operationally useful tamper scripts for real engagements.
| Tamper Script | What It Does | When to Use |
|---|---|---|
| space2comment | Replaces spaces with SQL comments (/**/) |
WAFs blocking space-delimited SQL keywords |
| between | Replaces > with NOT BETWEEN 0 AND |
Filters on comparison operators |
| charunicodeencode | Unicode-encodes non-alphanumeric characters | WAFs doing basic ASCII matching |
| randomcase | Randomizes keyword casing (SeLeCt) |
Case-sensitive keyword filters |
| equaltolike | Replaces = with LIKE |
Equality operator filtering |
| base64encode | Base64-encodes the full payload | Applications that decode base64 input server-side |
| apostrophemask | Replaces apostrophe with UTF-8 full-width variant | Quote-filtering WAFs |
# Chain multiple tamper scripts with comma separation sqlmap \ -u "https://target.com/page?id=1" \ --batch \ --tamper="space2comment,between,randomcase" \ --random-agent \ --level=3 \ --risk=2 \ --delay=1.5 \ --output-dir="./sqlmap-output/waf-bypass"
Aggressive SQLMap runs trigger WAF bans, overwhelm small application servers, and violate the rules of engagement on most bug bounty programs. The flags below give you precise control over request rate.
| Flag | Effect | Recommended Value |
|---|---|---|
| --threads | Concurrent request count | 1–3 for sensitive targets, up to 5 for permissive scopes |
| --delay | Seconds between requests | 1–2 for standard runs; 3+ for restricted scopes |
| --timeout | Per-request timeout in seconds | 30 (prevents hanging on slow responses) |
| --retries | Retry count on connection failure | 2 (avoid hammering unstable targets) |
| --random-agent | Rotates User-Agent header per request | Always enabled |
| --proxy | Routes through HTTP/SOCKS proxy | Use for IP rotation or local Burp capture |
Knowing when to hold back is as important as knowing how to run the tool. SQLMap is precision tooling — it produces the most value when applied to the right targets at the right stage. Running it indiscriminately wastes time, triggers unnecessary alerts, and produces noisy false positives that undermine the findings.
Pointing SQLMap at a bare URL list without upstream FFUF or Katana output means testing endpoints that may not even accept DB-backed input. You will get false positives and wasted scan time.
SQLMap’s time-based blind payloads put real load on database servers. Against fragile or high-traffic production targets without explicit approval, this risks service disruption — a scope violation in most programs.
If an endpoint requires a valid session to reach DB-backed logic, running SQLMap without valid credentials only tests the login page. Capture an authenticated session in Burp first and use the -r request file method.
If the URL was found via passive recon but has not been manually confirmed to be in-scope, do not run SQLMap against it. One out-of-scope test invalidates the entire engagement in most programs.
Firing SQLMap cold against a WAF-protected endpoint without first understanding what payloads are blocked will immediately trigger a ban. Run a single manual payload test first to understand the filter behavior.
--risk=3 enables OR-based payloads that can modify database records. Never use risk 3 without explicit written authorization confirming that data modification is acceptable during the test.
SQLMap is a post-validation tool. Its position in the offensive pipeline is fixed: it runs after upstream stages have identified, confirmed, and scoped the injection surface. PhantomRed workflow pipelines enforce this ordering — SQLMap receives only pre-validated, in-scope parameterized URLs from upstream stages.
FFUF surfaces hidden paths and parameterized endpoints. Its output, filtered for URLs containing =, becomes the input list for SQLMap. See the FFUF automation guide for the full discovery workflow.
httpx confirms which discovered hosts are live and responding. Running SQLMap against unreachable hosts wastes scan budget. httpx filtering ensures every SQLMap target is confirmed reachable.
Nuclei fingerprints technologies and detects exposed admin panels, API endpoints, and known-vulnerable paths before SQLMap runs. This informs which endpoints are high-value targets for injection testing.
Understanding the backend database technology (MySQL vs PostgreSQL vs MSSQL) before running SQLMap lets you target the correct injection techniques and skip irrelevant payload sets. See the Nmap + Nuclei + FFUF automation guide for service enumeration patterns.
For applications where injection surfaces are only reachable post-login, capture an authenticated Burp request and pass it via -r. This is standard practice in PhantomRed offensive workflow scripts for API and SaaS targets.
SQLMap’s --output-dir creates structured session files that feed directly into report generation. The log file per host documents every tested parameter, payload used, and finding confirmed.
Manually constructing and running these pipelines for every engagement is time-consuming and error-prone. PhantomRed’s recon workflow generator produces executable shell scripts that chain the entire offensive stack — Subfinder, httpx, FFUF, Nuclei, and SQLMap — into a single reproducible pipeline, with structured output directories, timestamped logs, dependency checks, and scope warnings built in from the start.
Instead of remembering every flag combination and writing fresh scripts for each engagement, you configure the target scope once and the generator produces a complete, ready-to-execute workflow. Saved Workflow History lets you reload previous configurations, compare approaches across engagements, and iterate on what worked. PhantomRed workflow scripts enforce the correct ordering: SQLMap always runs as stage 5, after upstream stages have validated the injection surface.
For deeper background on how PhantomRed approaches autonomous penetration testing as a discipline, see the autonomous penetration testing overview.
SQLMap produces verbose output by default. Without structure, findings get buried in terminal scrollback and are difficult to include in reports. The recommended pattern uses a directory layout that mirrors the engagement scope:
sqlmap-output/ ├── target.com/ │ ├── target.com/ # SQLMap session files per host │ │ ├── log # Human-readable finding log │ │ ├── session.sqlite # Session state for --resume │ │ └── target.com.csv # Optional CSV dump ├── api.target.com/ │ └── api.target.com/ └── batch-run.log # Master log of all tested URLs
Use --resume to continue an interrupted scan without re-testing already-covered parameters — essential for long-running batch runs against large scopes.
# Resume a previous session sqlmap \ -u "https://target.com/search?q=test" \ --batch \ --output-dir="./sqlmap-output/target.com" \ --resume
Every parameter in scope gets tested with a consistent payload set — no manual gaps.
The same script reruns against the same target weeks later, enabling regression testing after remediations.
Timestamped logs and structured output files document exactly what was tested, when, and with which payloads.
Threading and delay flags keep request rates within program rules and avoid triggering lockouts.
SQLMap plugs into the same shell pipeline as Subfinder, FFUF, and Nuclei — no manual handoffs between tools.
Session files and output directories survive interruptions — resume exactly where the scan stopped.
-u, -r (raw request file), or --forms flags. Batch execution loops over a validated URL list and saves output to structured directories using --output-dir.space2comment (replaces spaces with SQL comments), between (rewrites comparison operators), and charunicodeencode (Unicode-encodes characters). Use them when standard payloads are blocked by WAF signatures.--delay to add seconds between requests, --threads to cap concurrency (1–3 for sensitive targets), --random-agent to rotate User-Agent headers, and --proxy for IP rotation. Always align request rate with the target’s rules of engagement before running.Build a complete, executable shell script that chains subdomain enumeration, HTTP probing, parameter discovery, and SQLMap into one reproducible pipeline.
Open Workflow Generator →