SQLmap is an automatic SQL injection tool that allows a penetration tester to discover vulnerabilities, perform exploitation attacks, manipulate records, and retrieve data from a database.

To perform a scan using SQLmap, use the following command:

sqlmap –u "http://website_URL_here"

Additionally, the following parameters can be used to perform various tasks:

• --dbms=database_type: Performs a backend brute-force attack. An example is --dbms=mysql.
• --current-user: Retrieves the current database user.
• --passwords: Enumerates password hashes.
• --tables: Enumerates tables within the database.
• --columns: Enumerates columns within the tables.
• --dump: Dumps data table entries.

In the following section, we will discuss ways to prevent SQL injection.