SQLmap is an automatic SQL injection tool that allows a penetration tester to discover vulnerabilities, perform exploitation attacks, manipulate records, and retrieve data from a database.
To perform a scan using SQLmap, use the following command:
sqlmap –u "http://website_URL_here"
Additionally, the following parameters can be used to perform various tasks:
- --dbms=database_type: Performs a backend brute-force attack. An example is --dbms=mysql.
- --current-user: Retrieves the current database user.
- --passwords: Enumerates password hashes.
- --tables: Enumerates tables within the database.
- --columns: Enumerates columns within the tables.
- --dump: Dumps data table entries.
In the following section, we will discuss ways to prevent SQL injection.