Handling SQLMap Errors¶
Every penetration tester has stared at a failing SQLMap scan wondering what went wrong. This section covers every common error and the exact steps to fix it.
Connection Errors¶
"connection timed out to the target URL"¶
Root Cause: SQLMap cannot reach the target server within the default timeout (30 seconds).
Solutions:
# If the target is on an internal network:
sqlmap -r request.txt --proxy="http://your-vpn-proxy:8080"
Checklist:
- Is the target URL correct? (no typos)
- Is the target server running? (try
curlor browser) - Is your VPN/tunnel active? (for internal targets)
- Is a firewall blocking your IP?
- Are you behind a corporate proxy?
"connection refused by the target URL"¶
Root Cause: The server is actively refusing connections on that port.
Solutions:
- Verify the correct port (80 vs 443 vs 8080)
- Check if the service uses HTTPS: try
https://instead ofhttp:// - Verify firewall rules aren't blocking your IP
SSL/TLS Errors¶
Solutions:
# SQLMap doesn't verify SSL certs by default, but if you have issues:
sqlmap -r request.txt --force-ssl
Detection Failures¶
"all tested parameters do not appear to be injectable"¶
[WARNING] GET parameter 'id' does not appear to be injectable
[CRITICAL] all tested parameters do not appear to be injectable. Try to
increase values for '--level'/'--risk' options if you wish to perform more tests.
This is the most common error beginners encounter. Here's a systematic troubleshooting process:
Step 1: Increase Level and Risk¶
What this changes:
| Setting | Level 1 (default) | Level 5 (max) |
|---|---|---|
| GET/POST params | ✅ Tested | ✅ Tested |
| Cookie values | ❌ Skipped | ✅ Tested |
| User-Agent header | ❌ Skipped | ✅ Tested |
| Referer header | ❌ Skipped | ✅ Tested |
| Host header | ❌ Skipped | ✅ Tested |
| Number of payloads | ~100 | ~5000+ |
| Setting | Risk 1 (default) | Risk 3 (max) |
|---|---|---|
| AND-based tests | ✅ | ✅ |
| OR-based tests | ❌ | ✅ |
| UPDATE-based tests | ❌ | ✅ |
| Heavy time-based tests | ❌ | ✅ |
Step 2: Specify the DBMS¶
If you know (or suspect) the database type, tell SQLMap:
sqlmap -r request.txt --dbms=mysql
sqlmap -r request.txt --dbms=mssql
sqlmap -r request.txt --dbms=postgresql
This eliminates payloads for other DBMS types and focuses testing.
Step 3: Manually Specify the Injection Technique¶
Step 4: Add Custom Prefix/Suffix¶
The application might wrap your input in a specific SQL context. You can tell SQLMap what comes before and after the injection point:
Step 5: Check if the Parameter Is Actually Injectable¶
Go back to manual testing. In Burp Suite, try these payloads:
id=1' → Does it cause an error?
id=1 AND 1=1 → Same response as normal?
id=1 AND 1=2 → Different response?
id=1' AND '1'='1 → Same response as normal?
id=1' AND '1'='2 → Different response?
If none of these cause any observable difference, the parameter might genuinely not be injectable.
"heuristic (basic) test shows that GET parameter 'id' might not be injectable"¶
What this means: SQLMap sent a single quote (') and didn't see an error or notable change in the response. This is a heuristic, not a definitive answer.
What to do: Continue the scan — the full test suite may still find injection:
False Positives & False Negatives¶
Dealing with False Positives¶
Sometimes SQLMap reports injection when there isn't one. This is more common with:
- Unstable pages (dynamic content, ads, timestamps)
- Redirections that happen to match the comparison
- Applications that return the same page regardless of input
How to verify:
sqlmap -r request.txt --string="Welcome, admin"
Dealing with False Negatives¶
SQLMap says "not injectable" but you know it is:
sqlmap -r request.txt \
--level=5 \
--risk=3 \
--dbms=mysql \
--technique=BEUSTQ \
--tamper=space2comment \
--threads=1 \
--time-sec=10 \
--flush-session
WAF/IPS Detection¶
"heuristics detected that the target is protected by some kind of WAF/IPS"¶
What this means: SQLMap detected patterns consistent with a WAF blocking its requests. This could be Cloudflare, ModSecurity, AWS WAF, etc.
Solutions:
See the Bypassing Web Application Protections section for detailed WAF evasion techniques.
Requests Being Blocked (403 Forbidden)¶
[WARNING] target URL responded with status code 403 (Forbidden).
sqlmap is going to retry the request
Solutions:
Session and State Issues¶
"possible integer casting detected"¶
What this means: The application converts your input to an integer before using it in a query. Injected SQL text is stripped.
Solutions:
- This parameter is likely not injectable with standard string-based payloads
- Try arithmetic-based tests: The parameter might be injectable with numeric operations
- Move on to testing other parameters
"target URL content is NOT stable"¶
Already covered in the Output Description section, but to recap:
Stale/Wrong Results from Cache¶
Performance Issues¶
Scan Running Extremely Slowly¶
Possible causes and fixes:
sqlmap -r request.txt -o
# Equivalent to: --predict-output --keep-alive --null-connection --threads=3
Scan Taking Too Long on Blind Injection¶
Blind injection is inherently slow. Speed it up:
Don't Set --time-sec Too Low
If you set --time-sec too low (e.g., 1 second), SQLMap may confuse normal network latency with an intentional delay, leading to false positives. Keep it at 2-3 seconds minimum.
Systematic Troubleshooting Checklist¶
When SQLMap isn't working, run through this checklist:
- Connection: Can you reach the target? (
curl -v <URL>) - Authentication: Does the request include valid session cookies/tokens?
- Request format: Is the Content-Type correct? (URL-encoded vs JSON vs XML)
- Correct parameter: Are you testing the right parameter? (
-p param) - Injection point: Does manual testing confirm injectable behavior?
- Level/Risk: Have you tried
--level=5 --risk=3? - DBMS: Have you specified
--dbms? - WAF: Is a WAF blocking payloads? (
--identify-waf) - Cache: Have you flushed the session? (
--flush-session) - Technique: Have you tried limiting/expanding techniques? (
--technique) - Prefix/Suffix: Does the injection context need custom prefix/suffix?
- Verbose output: Run with
-v 3or higher to see what's happening