SQLMap is a great tool that can automate injections. Here’s how to do a simple SQLi with an HTTP GET request.

Going to the “View Blogs” page in Mutillidae, we have a drop down menu of authors. With intercept on in Burpe Suite, we query the request for admin blog.

Burpe Suite gets the request

Which we copy and paste into a new file which I’ll call attack.txt. Reading the file confirms the request is there.

Running sqlmap via command

sqlmap -r attack.txt --dbs

to get a list of databases that will show which databases are available. The purpose of taking the GET request and putting it into a file and passing it to sqlmap is to let sqlmap get whatever data it needs from the request instead of us putting it in manually.

A few minutes later sqlmap finishes and we have a list of DBs.

From here we can select a DB and then enumerate tables and then dump the data.

We’ll pick ‘nowasp’ for enumerating some tables.

sqlmap -r attack.txt -D nowasp --tables

Next we’ll dump the info in the accounts table

sqlmap -r attack.txt -D nowasp -T accounts --dump

and that’s all there is to it!