Injection attacks with sqlmap
The sqlmap tool is an open source tool built in Python, which allows the detection and exploitation of SQL injection attacks. It has full support for MySQL, Oracle, PostgreSQL, Microsoft SQL Server, Microsoft Access, IBM Db2, SQLite, Firebird, Sybase, SAP MaxDB, HSQLDB, and Informix databases. In this recipe, we will cover how to use sqlmap to test and exploit SQL injection.
How to do it...
The following are the steps to use sqlmap:
- We first take a look at the help of
sqlmapfor a better understanding of its features. This can be done using the following command:
sqlmap -hThe following screenshot shows the output for the preceding command:Â
- To scan a URL, we use the following command:
sqlmap -u "http://testphp.vulnweb.com/artists.php?artist=1"- Once a SQL has been detected, we can choose yes (
Y) to skip other types of payloads:
- Once SQL has been detected, we can list the database names using the
--dbsflag:
- We have the databases now; similarly, we can...
