You've now heard of SQLmap, and now you want to try it out for yourself. This tool is definitely powerful, and you would like to see how it works. However, where can you practice without getting in trouble?
The truth about using SQLmap is that you should only use SQLmap against your own websites or websites for which you have permission from the owner to test.
It does not matter if the website seems old or abandoned; it also doesn't matter if you want to test it because you're curious; if you use SQLmap on any website that you don't own or do not have permission to use, you are breaking the law, and you can get charged with a crime.
There is good news, though! You can practice SQLmap as much as you would like in a completely legal, safe environment. While some of these are websites that are specifically designed for testing, there are also other resources and ways to run SSQmap on your own local machine through Virtual Machines. All of these will be entirely legal.
Here is a list of the best targets where you can legally use SQLmap, with links to the actual sites. There is something here for all levels of experience, from beginner through advanced!
The Golden Rule of SQL Injection Testing
Before listing any targets, let me make one thing clear. You can only test websites that you own or have explicit written permission to test. This is not a grey area. It is the law in every country with computer crime legislation.
The targets listed in this article are either your own local environments or websites that explicitly allow security testing. Use only these. Never point SQLmap at a random website you find on the internet.
Now let me show you where you can practice safely.
Option 1: Damn Vulnerable Web Application (DVWA)
DVWA is the classic starting point for web application security testing. This is an intentionally vulnerable PHP application executed locally on your PC.
The main division of demand for these types is that they have specific sections dedicated to SQL injection (as a point of reference) with varying degrees of difficulty; therefore; you can begin working with the lowest level of security where no protection exists and advance to using SQLmap where you can completely enumerate your entire database (due to no protection being in place).
The URL you can check out is:
👉 https://github.com/digininja/DVWA
You can use Docker to easily run DVWA since Docker allows you to download and install DVWA as an application within the Docker application, or you can use XAMPP / WAMP by manually setting it up.
The installation process should take about 10 minutes, with installation instructions available on the GitHub page for each platform.
You can practice on DVWA for basic authentication bypass exploit via utilizing simple payloads and then once you feel more comfortable, you can move to using SQLmap for a complete database enumeration.
There is no protection at the low-security level, making it an excellent starting point for individuals with limited skills and knowledge.
Option 2: OWASP Juice Shop
Juice Shop is a modern, deliberately vulnerable web app built on Node.js. The app is very popular among pentesters as a target.
Why juice shop is good target:
There are many (dozens) of weaknesses including multiple instances of SQL injection.
The instructions for setting up juice shop are clear as well as having walk-throughs if you get stuck. Additionally, there is a scoreboard which will track your progress.
Where to get it:
👉 https://github.com/juice-shop/juice-shop
How to set it up:
Juice is set up using Docker using the commands from the GITHUB page. You can also install it locally using Node.js.
Once the application is running you shall be able to access your local address in a browser and explore the application. Using the live demo link provided above you can start testing right away with no setup required.
What to Practice:
Juice Shop has a login page that is vulnerable to SQL injection. Using SQLMap, you can use it to bypass the auth and log in to the admin account. There are many other vulnerabilities to explore as you get more experienced.
Option 3: Vulnerable Online Testing Sites
Several online websites are purposely vulnerable for testing their security, which is mainly what security companies provide as well as some educational institutions.
The following three reasons make these good candidates for testing:
They are available 24/7, accessible without downloading any software, and provide permission for you to conduct your testing.
Websites you can use:
👉 http://testasp.vulnweb.com (Hosted by Acunetix)
👉 https://www.hacksplaining.com/lessons/sql-injection (Interactive SQL injection exercises)
What you can do:
You can use SQLmap against search parameters and form fields. These sites are real websites on live servers, which means you will have real situation practice with real world conditions when doing pen tests.
In addition, you can perform all the normal actions associated with conducting a pen test, such as enumerating databases, listing tables in those databases, and extracting data from those databases.
IMPORTANT!Only perform testing on the stated test sites above. DO NOT assume testing on any random site is allowed without prior permission.
Option 4: TryHackMe SQLMap Lab
TryHackMe is an online platform that offers cyber security training, including a room (lab) specifically set up for SQLmap.
Why it is an excellent selection:
Since this lab is only for practicing with SQLmap, you are treated as a novice and will have instructions provided to you from start to finish, including how to identify parameter weaknesses and how to dump the contents of a database.
Where to locate the facility:
👉 https://tryhackme.com/room/sqlmap
How to locate the facility:
To enter the lab you will need a TryHackMe account; a free account is sufficient.After creating your account you will connect to their VPN (via openVPN) and access the SQLmap lab machine from their network; the full details on accessing the lab can be found on the room webpage.
What you will learn at the facility:
The lab will teach you how to use Burp Suite to capture a request which will then be given to SQLmap. You will also learn how to enumerate databases, find the tables in those databases, and perform a challenge that will require you to dump the contents of the table containing the flags.
Option 5: Deliberately Vulnerable Web Applications Hosted on GitHub
Many developers have developed purposely insecure web applications that can provide you with training in security. These repositories can be cloned to your local machine so that they may be run without cost.
Why they make excellent practice targets:
They are free, they are open source, and you have complete control over the environment (you can view the source code, see how each vulnerability works, and test them using SQLmap).
Where you can find them:
VulnVault (Python/Flask):
👉 https://github.com/pleontis/VulnVault-A-Deliberately-Insecure-Web-App
Burp Suite Test Website (Node.js):
👉 https://github.com/aishide/Burp_suit_test_website
How to get set up with them:
Using git, you will clone the repository, install dependencies, and run the application locally. The majority of these applications provide a Docker environment or can be deployed using simple Python or Node.js methods.
Each of the GitHub repositories has an adequate amount of documentation to set up your local environment to run the application.
What you will learn from them:
Each application will allow you to practice various forms of web application vulnerabilities such as: SQL injection, XSS, CSRF, insecure file uploads, broken authentication, etc.
You will initially be able to use SQLmap against the SQL injection exploits; beyond that, you will be able to branch out your knowledge by attempting to exploit other vulnerabilities in the application.
Option 6: SQL Injection Labs from Pluralsight
SQL Injection Labs from Pluralsight allow you to practice SQL Injection using SQLmap in an interactive lab environment.
Benefits to Targeting:
The labs are hosted in a fully contained cloud environment in which you do not need to set up anything on your machine; both the target application and Kali Linux with SQLmap pre-installed are contained within the lab.
Where You Can Access This Resource:
👉 https://www.pluralsight.com/product/labs
Search the lab libraries for "Initial Access using SQLmap" and "Performing SQL Injection or XSS Attacks"
How to Access this Resource:
You need a Pluralsight Subscription to access the labs; after receiving a subscription, you can find your SQLmap lab and launch your lab without having to do a local install.
What You Will Practice:
The goal of these labs is to identify misconfigurations in a web application via SQL injection and use SQLmap to exploit a vulnerable application. Additionally, the labs will walk you through how to use Burp Suite to capture requests and send them as input to SQLmap for use on a specific application or vulnerability.
Option 7: Build Your Own Vulnerable Application
If you want complete control over your testing environment, you can build your own deliberately vulnerable application.
Why this is a good target:
You know exactly what vulnerabilities exist.For an easy way to test SQLmap, you can share the application with other users as well.
The steps are straightforward: create a basic PHP or Node.js app using a search field or login form that literally concatenates the user input into the SQL query. Don't let the user use prepared statements or parameterized queries; just let it happen as normal.
Where to learn:
👉 https://www.php.net/manual/en/security.database.sql-injection.php (Understanding SQL injection in PHP)
What to practice:
This is exactly the kind of vulnerable code that SQLmap exploits.Practice on your own creation, then learn how to fix it with prepared statements. This gives you both offensive and defensive skills.
A Full SQLmap Practice Workflow
This workflow is intended to give you some examples for practicing on these ethical targets.
Beginner Level:
Starting with DVWA set at low Security Mode you can enumerate databases and tables using SQLmap, and learn to use the basic usage syntax e.g.: listing databases, listing tables, and dumping data.
Intermediate Level:
Next, move to an online vulnerable test site e.g.: testasp.vulnweb.com, allowing you to gain experience of live targets with the associated real-world latency and response times. Practice using the batch flag to skip prompts and and the level and risk options to increase the intensity of the scans.
Advanced Level:
Utilise TryHackMe's SQLMap Lab, you will need to use BurpSuite to capture requests and send to SQLMap, to simulate a real penetration testing workflow.
Expert Level:
Utilise SQLmap with Tamper Scripts to bypass certain Base WAF rules. Practice using the higher Security Levels of DVWA that will require more advanced techniques. Develop your own vulnerable application with custom SQL injection flaws that are not apparent at first.
SQLmap Commands for Practice
The following are the main SQLmap commands to use against these practice targets.
You should remember sqlmap -u "URL" as the base command to see if a parameter in the URL is vulnerable.
Using --dbs will list all the databases on the target.
To use a specific database, you can use the -D parameter.
To list tables in a specific database, add --tables.
If you want to use a specific table, add -T with the table name.
To list columns in a specific table, add --columns.
To dump data from a specific table, add --dump to the command.Adding --batch to your command lets you run all dictionary attacks without SQLmap prompting you for input at every single step.
The command option --level will change the intensity of SQLmap's scan from level 1-5 (with 5 testing more parameters) and --risk will allow you to change the risk level associated with testing parameters (with 1 being least aggressive and 3 being the most aggressive).
The -r switch allows you to use a request file you have captured with Burp Suite and is very useful when testing complex requests with lots of parameters.
Where to Download SQLmap:
Before you practice, you need SQLmap itself.
👉 https://sqlmap.org (Official website with download links)
👉 https://github.com/sqlmapproject/sqlmap (GitHub repository)
SQLmap comes pre-installed on Kali Linux and Parrot OS. If you are using another operating system, you can download it from the links above.The GitHub page has installation instructions for Windows, macOS, and Linux.
What to Avoid
These places are not legal targets, even if they seem tempting.
1. Do not test on any website you do not own.
2. Do not test on your employer's website without written permission.
3. Do not test on your university's website without written permission.
4. Do not test on government or military websites.
5. Do not test on banking or financial websites.
6. Do not assume that a website is safe to test just because it looks old or abandoned.
7. Do not use SQLmap on public Wi-Fi to test random sites.
8. Do not run SQLmap against API endpoints you do not control.
9. Do not test bug bounty programs without reading their scope rules. Many programs explicitly forbid automated tools like SQLmap. Always read the rules before testing.
If you are unsure whether a target is legal to test, assume it is not. The only safe targets are your own systems, local lab environments, and websites that explicitly state they allow security testing.
The Bottom Line
You have many legal options for practicing SQLmap. You can run DVWA or Juice Shop locally on your own machine. You can use online test sites hosted by security companies. You can access guided labs on TryHackMe or Pluralsight.
You can clone vulnerable web applications from GitHub and run them locally.You can even build your own deliberately vulnerable application from scratch.
All of these options are safe, legal, and mostly free. The links provided in this article will take you directly to each resource.
The key is to never test on a website you do not own or have explicit permission to test. The practice targets listed here exist precisely for this purpose.Use them.
Now go practice. The only way to learn SQLmap is to use it, and now you know exactly where you can do that safely and legally.
Start here: 👉 https://github.com/digininja/DVWA
FAQ Section
Is it against the law to utilize SQLmap on any website that is not owned by myself?
Yes. To point SQLmap to another website without permission from the owner is illegal in many countries because it falls under the classification of computer misuse crimes.You may only utilize SQLmap on your own site, in a local lab environment, or on a site that gives clear permission for testing its security.
What is the best free way to use SQLmap on my computer?
The best free way to do this is by downloading Damnvulnerablewebapplication (DVWA) either via Docker or XAMPP from https://github.com/digininja/dvwa and running it completely on your computer allowing for unlimited practice with zero chance of breaking laws regarding using SQLmap as a hacker since you will be testing your own work.
Can I test out SQLmap without having to download anything to my personal computer?
Yes, you can use one of the following live demo websites to practice using SQLmap: OWASP Juice Shop or testasp.vulnweb.com both of which are meant to serve as testing environments specifically targeted at aiding security professionals and will not require you downloading any programs onto your computer.
Is it acceptable for me to use any of the test sites in the above paragraph to practice using SQLmap?
Yes, the sites mentioned were purposely created to help you learn and practice using SQLmap, however do not plan on being able to use SQLmap on every single other website you visit.
Where do I go to obtain the version of SQLmap that is compatible with my OS?
You can download it from either https://sqlmap.org (official site) or https://github.com/sqlmapproject/sqlmap (GitHub repository). Additionally, you will find that SQLmap is already included with the Kali Linux and ParrotOS distributions.
