Are you happy with your logging solution? Would you help us out by taking a 30-second survey? Click here


Automatic SQL injection and database takeover tool

Star full 4f7b624809470f25b6493d5a7b30d9b9cb905931146e785d67c86ef0c205a402Star full 4f7b624809470f25b6493d5a7b30d9b9cb905931146e785d67c86ef0c205a402Star full 4f7b624809470f25b6493d5a7b30d9b9cb905931146e785d67c86ef0c205a402Star blank 374f33e4d622a2930833db3cbea26b5d03dc44961a6ecab0b9e13276d97d6682Star blank 374f33e4d622a2930833db3cbea26b5d03dc44961a6ecab0b9e13276d97d6682 (1 ratings)
Rated 3.0 out of 5
Subscribe to updates I use sqlmap

Statistics on sqlmap

Number of watchers on Github 10817
Number of open issues 57
Average time to close an issue about 14 hours
Main language Python
Average time to merge a PR 1 day
Open pull requests 13+
Closed pull requests 60+
Last commit over 1 year ago
Repo Created about 7 years ago
Repo Last Updated over 1 year ago
Size 60 MB
Organization / Authorsqlmapproject
Latest Release1.2
Page Updated
Do you use sqlmap? Leave a review!
View open issues (57)
View sqlmap activity
View on github
Fresh, new opensource launches 🚀🚀🚀
Trendy new open source projects in your inbox! View examples

Subscribe to our mailing list

Evaluating sqlmap for your project? Score Explanation
Commits Score (?)
Issues & PR Score (?)


Build Status Python 2.6|2.7 License Twitter

sqlmap is an open source penetration testing tool that automates the process of detecting and exploiting SQL injection flaws and taking over of database servers. It comes with a powerful detection engine, many niche features for the ultimate penetration tester and a broad range of switches lasting from database fingerprinting, over data fetching from the database, to accessing the underlying file system and executing commands on the operating system via out-of-band connections.

The sqlmap project is sponsored by Netsparker Web Application Security Scanner.



You can visit the collection of screenshots demonstrating some of features on the wiki.


You can download the latest tarball by clicking here or latest zipball by clicking here.

Preferably, you can download sqlmap by cloning the Git repository:

git clone --depth 1 sqlmap-dev

sqlmap works out of the box with Python version 2.6.x and 2.7.x on any platform.


To get a list of basic options and switches use:

python -h

To get a list of all options and switches use:

python -hh

You can find a sample run here. To get an overview of sqlmap capabilities, list of supported features and description of all options and switches, along with examples, you are advised to consult the user's manual.


  • Homepage:
  • Download: .tar.gz or .zip
  • Commits RSS feed:
  • Issue tracker:
  • User's manual:
  • Frequently Asked Questions (FAQ):
  • Twitter: @sqlmap
  • Demos:
  • Screenshots:


sqlmap open issues Ask a question     (View All Issues)
  • almost 3 years google analytics _ga cookie
  • almost 3 years I'm sorry about the previous post is a mistake
  • almost 3 years sqlmap takeover timeout
  • almost 3 years CVE-2016-6662
  • about 3 years AND/OR time-based blind and invalid characters
  • about 3 years wheres the docs for api?
  • about 3 years Further Full Path Disclosure (FPD) Techniques
  • over 3 years New password hash types to incorporate
  • over 3 years hi I recently reviewed the connection between "Sqlmap" to "Metasploit Pro"
  • over 3 years --eval doesn't work for XML parameters.
  • over 3 years noSQL DB Support Feature Request
  • over 3 years Ignore CTRL-C when in a meterpreter session
  • almost 4 years Downloading a table when the pivot don't get all
  • about 4 years sqlmapapi task limitation feature
  • over 4 years Extract SQL Command Feature Request
  • over 4 years commatojoin tamper script
  • over 4 years Review all payloads
  • almost 5 years Dump and CSV file
  • about 5 years Load request from file for second-order request
  • over 5 years Extend file write on MySQL
  • over 5 years REST scan doesn't dump database
  • over 5 years Error checking for time based blind
  • almost 6 years Option for alternate SMB host for --os-smbrelay
  • almost 6 years Feature request: write / append data to CSV file every <x> rows
  • about 6 years Db object comments
  • over 6 years Filesystem enumeration and fingerprinting
  • over 6 years Improve RESTful API to interact with sqlmap engine
  • over 6 years Usability of tool when session user is not high privileged/DBA
  • over 6 years Extend --live-tests to all DBMSes and switches
  • over 6 years MySQL exploits for takeover
sqlmap open pull requests (View All Pulls)
  • add support for parsing Excel (xlsx) output
  • Handle non-alnum parameters with --eval
  • Avoid NULL bytes when writing to file
  • Create
  • make sqlmap use baidu search engine
  • baidu search engine support
  • Translation of to Russian
  • REST API: command line processing on the server side
  • [tamper request] Replacing SUBSTRING by LEFT and RIGHT
  • Feature/compatible with py3/print
  • Create bypass360waf
  • WIP: Feature/compatible with python 3
  • Commit to make CLI option to disable counting
sqlmap questions on Stackoverflow (View All Questions)
  • False Positive Results SQLMAP
  • Plugin for integrating SQLMAP with Burp Suite
  • sqlmap default value for mod_rewrite url injection point
  • sqlmap with error ValueError: _type_ 'v' not supported
  • Combination of Boolean-based and Time-dependent SQL injection in sqlmap
  • two parameters with SQLMAP
  • How can I tell sqlmap to check another link?
  • SQLMap Alerts : "POST Parameter 'Password' is Microsoft SQL Server / Sysbase time -based blind Injectable"
  • How does sqlmap detect this SQL injection in my script?
  • sqlmap usage - no blind identified
  • sqlmap UNION injection
  • Passing parameter String into iBatis sqlMap is not working
  • Sqlmap Tor not working- windows
  • verify sql injection through sqlmap
  • SQLMap not showing output in command prompt
  • tor not working with sqlmap
  • SQLMap realy slow on local network
  • ibator SqlMap generation issue
  • Sqlmap parameter "might not be injectable"
  • Specify parameters with SQLMAP
  • SQLMap remake in JavaScript? Possible?
  • There is no statement named UserEntity.insertUser in this SqlMap
  • Setting particular type of attack with Sqlmap
  • SQLMap and SSL error
  • sqlmap&MariaDB:sqlmap doesn't support mariadb
  • SQLMAP - appears to be injectable, but it does not
  • Using two different versions of python but sqlmap needs 2.7
  • SQLMAP link compatibility
  • post parameter cannot be detected by sqlmap
  • Error sqlmap on Kali Linux
sqlmap list of languages used
More projects by sqlmapproject View all
Other projects in Python