Optimizing Detection

Learn how to optimize SQLMap for faster and more accurate vulnerability detection

SQLMap provides several options to optimize the detection process, making it faster and more accurate.

Forcing a Specific DBMS (--dbms)

If you already know the backend database management system, you can force SQLMap to use specific payloads:

sqlmap -u "http://www.example.com/vuln.php?id=1" --dbms mysql

This skips the database fingerprinting phase and uses MySQL-specific payloads, which can:

  • Significantly speed up the testing process
  • Reduce the number of requests sent to the server
  • Improve detection accuracy for known database types

Supported DBMS options include:

  • MySQL
  • Oracle
  • PostgreSQL
  • Microsoft SQL Server
  • SQLite
  • And many others

Using --smart for Heuristic Testing

The --smart flag enables heuristic testing to quickly determine if a target is likely vulnerable:

sqlmap -u "http://www.example.com/vuln.php?id=1" --smart

This performs initial tests to assess vulnerability potential before conducting a full scan. Benefits include:

  • Faster testing of multiple targets
  • Reduced false positives
  • More efficient resource usage
  • Quick identification of promising targets

This is particularly useful when scanning a large number of potential targets.

Verifying Vulnerabilities with --string and --not-string

For boolean-based blind SQL injection, you can specify strings to identify true and false responses:

sqlmap -u "http://www.example.com/vuln.php?id=1" --technique B --string "Welcome" --not-string "Error"

This tells SQLMap to:

  • Look for "Welcome" in responses when a condition is true
  • Look for "Error" in responses when a condition is false

These flags are useful when:

  • The application has unique response patterns
  • Default detection methods are not working
  • You need to fine-tune the detection process
  • You're dealing with custom error messages

Using --titles for Response Differentiation

If the application shows different page titles for true and false conditions:

sqlmap -u "http://www.example.com/vuln.php?id=1" --titles

This flag tells SQLMap to use the HTML title tag to differentiate between responses, which can be more reliable than looking at the entire response body in some applications.