SQLMap is a great tool that can automate injections. Here’s how to do a simple SQLi with an HTTP GET request.
Going to the “View Blogs” page in Mutillidae, we have a drop down menu of authors. With intercept on in Burpe Suite, we query the request for admin blog.
Burpe Suite gets the request
Which we copy and paste into a new file which I’ll call attack.txt. Reading the file confirms the request is there.
Running sqlmap via command
sqlmap -r attack.txt --dbs
to get a list of databases that will show which databases are available. The purpose of taking the GET request and putting it into a file and passing it to sqlmap is to let sqlmap get whatever data it needs from the request instead of us putting it in manually.
A few minutes later sqlmap finishes and we have a list of DBs.
From here we can select a DB and then enumerate tables and then dump the data.
We’ll pick ‘nowasp’ for enumerating some tables.
sqlmap -r attack.txt -D nowasp --tables
Next we’ll dump the info in the accounts table
sqlmap -r attack.txt -D nowasp -T accounts --dump
and that’s all there is to it!