Used to automate SQLi attacks (and apparently banned on the OSCP because it makes things too easy).
Useful flags:
-u URL/--url=URL- process URL (this must include the query parameters or you must specify POST parameters using--data)-p- which URL parameter(s) (variables) to test--dbms=DB_TYPE- only use injections for a given type of backend database (MySQL, PostgreSQL, etc.)--dbs- enumerate DBs-D/-T/-C- dump a specific database/table/column--dump/--dump-all/--all- dump data--os-shell- attempt to spawn an interactive shell--os-pwn- attempt to spawn a Metasploit meterpreter shell or VNC session--forms- parse target URL for forms, and use these--batch- don’t prompt for user input, just use the defaults--risk- set the maximum risk level of tests (1 - 3, lowest to highest risk)
For example:
sqlmap -u http://example.com/test.php?input=foo \
--dump-allOr:
sqlmap -u http://example.com/test.php \
--data input=foo --dump-allOne handy way to seed a URL is using requests harvested with Burp Suite.