Sqlmap MCP

🚀 SQLMap MCP Server (FastMCP)

A Model Context Protocol (MCP) server built with FastMCP that exposes SQLMap CLI tools as MCP functions for automated SQL injection testing and database reconnaissance.

🚀 Quick Start

This MCP server offers programmatic access to SQLMap's powerful SQL injection testing capabilities through a standardized interface. It's built with FastMCP for simplicity and ease of use, allowing AI assistants and other MCP clients to perform automated security testing, database enumeration, and vulnerability assessment.

✨ Features

Core SQLMap Capabilities Exposed

1. Basic Scanning

   • Detect SQL injection based on URLs.
   • Configure test levels and perform risk assessment.
   • Support multiple injection techniques.

2. Database Enumeration

   • Discover and list databases.
   • Enumerate tables within databases.
   • Enumerate columns within tables.
   • Analyze database schemas.

3. Data Retrieval

   • Dump table data with filtering options.
   • Extract selective columns.
   • Support the WHERE clause for targeted queries.

4. System Information

   • Retrieve the database banner.
   • Identify the current user.
   • Detect the current database.
   • Enumerate hostnames.

5. Advanced Access

   • Access the file system (read files from the database server).
   • Execute operating system commands.
   • Inject custom payloads.

6. Advanced Options

   • Support proxies.
   • Integrate with the Tor network.
   • Configure custom User - Agents.
   • Support multi - threading.
   • Configure request timeouts.

📦 Installation

Prerequisites

1. Python 3.13+ (as specified in pyproject.toml)
2. FastMCP - Automatically installed via dependencies
3. SQLMap - Install via your preferred method:

   # Using Homebrew (macOS)
   brew install sqlmap
   
   # Using pip
   pip install sqlmap
   
   # Or clone from GitHub
   git clone --depth 1 https://github.com/sqlmapproject/sqlmap.git sqlmap-dev
   

Setup

1. Clone the repository:

   git clone <repository-url>
   cd sqlmap-mcp
   

2. Install dependencies:

   # Using uv (recommended)
   uv sync
   
   # Or using pip
   pip install -e .
   

3. Verify SQLMap installation:

   sqlmap --version
   

💻 Usage Examples

Basic Usage

Running the Server

python server.py

MCP Client Configuration

Add this server to your MCP client configuration:

{
  "mcpServers": {
    "sqlmap": {
      "command": "python",
      "args": ["/path/to/sqlmap-mcp/server.py"],
      "env": {}
    }
  }
}

Advanced Usage

Available Tools

Example Usage

Basic URL Scan

{
  "name": "sqlmap_scan_url",
  "arguments": {
    "url": "http://example.com/vuln.php?id=1",
    "level": 2,
    "risk": 2
  }
}

Database Enumeration

{
  "name": "sqlmap_enumerate_databases",
  "arguments": {
    "url": "http://example.com/vuln.php?id=1"
  }
}

Advanced Scan with Proxy

{
  "name": "sqlmap_advanced_scan",
  "arguments": {
    "url": "http://example.com/vuln.php?id=1",
    "proxy": "http://127.0.0.1:8080",
    "level": 3,
    "risk": 2,
    "threads": 5,
    "random_agent": true
  }
}

📚 Documentation

Security Considerations

⚠️ Important Note

• Legal Compliance: Only use this tool on systems you own or have explicit permission to test.
• Authorization: Ensure you have proper authorization before performing any security testing.
• Environment Isolation: Use in isolated testing environments to prevent unintended access to production systems.
• Data Protection: Be aware that SQLMap can extract sensitive data from databases.
• Rate Limiting: Implement appropriate rate limiting to avoid overwhelming target systems.
• Logging: Monitor and log all activities for audit purposes.

💡 Usage Tip

• Test Environment: Always test in a controlled, isolated environment first.
• Documentation: Document all testing activities and results.
• Responsible Disclosure: If vulnerabilities are found, follow responsible disclosure practices.
• Access Control: Restrict access to this MCP server to authorized personnel only.
• Monitoring: Implement monitoring to detect unauthorized usage.

Development

Project Structure

sqlmap-mcp/
├── server.py          # Main FastMCP server implementation
├── pyproject.toml     # Project configuration and dependencies
├── README.md          # This file
└── .gitignore         # Git ignore rules

Adding New Tools

To add new SQLMap functionality with FastMCP:

1. Add a new function decorated with @app.tool()
2. Define the function parameters with proper type hints
3. Add a docstring describing the tool's purpose
4. Implement the SQLMap command execution logic

Example:

@app.tool()
async def my_new_tool(url: str, param: Optional[str] = None) -> str:
    """Description of what this tool does"""
    args = ["-u", url]
    if param:
        args.extend(["--param", param])
    result = await sqlmap_executor.execute_sqlmap(args)
    return result.output if result.success else f"Error: {result.error}"

Testing

# Test the server
python server.py

# Test with a simple MCP client
# (Use your preferred MCP client to test the tools)

Troubleshooting

Common Issues

• SQLMap not found: Ensure SQLMap is installed and accessible in your PATH.
• Permission denied: Check file permissions and ensure proper access rights.
• Timeout errors: Increase timeout values for complex scans.
• Connection issues: Verify network connectivity and proxy settings.

Debug Mode

Enable debug logging by modifying the server configuration or adding logging statements.

📄 License

This project is licensed under the same license as SQLMap (GPLv2). See the LICENSE file for details.

Acknowledgments

• SQLMap Project - The underlying SQL injection testing tool
• FastMCP - The simplified MCP framework
• Model Context Protocol - The MCP specification and implementation

Support

For issues and questions:

1. Check the troubleshooting section.
2. Review SQLMap documentation.
3. Open an issue on the project repository.

⚠️ Important Note

This tool is for educational and authorized security testing purposes only. Users are responsible for ensuring they have proper authorization before using this tool on any system.