Guide to SQL Injection and other by Bilge Çimen

What is SQL Injection?

If you have no idea about what is SQL Injection it is basically, a very popular method which allows us to run queries on the target db. Things we can accomplished with SQL Injection is numerous, for more info visit Owasp doc from here.

What is Owasp-zap and How to Search for SQL Injection Vulnerabilities?

Owasp-zap is a powerful tool for searching web app vulns. It has simple yet powerful UI for beginners. It’s usually bundled with Pentest OSes like Kali Linux and Parrot. If you are not using any of them you can manually download it from here.

Start the owasp-zap

Owasp-zap Quick Start

The Spider will start to crawl all the links that can be reached from the site:

Owasp-zap Spider

Then the active scan will start to look for vulnerabilities on that links(This one can take a while).

Owasp-zap Active Scan

In this post I will cover the SQL Injections with GET requests so we will look for the vulns with GET requests.

If you scanned a site with a sql injection vuln you should see flags like this in alerts tab.

Owasp-zap Flags

Select one of the GET requests and copy the URL. Owasp-zap tells us sql injection may be possible now it’s time too test it. Note: When you click the request the right pane fills with information you can see the parameter here clear the other parameters in the url for better results in the Sqlmap.


Sqlmap is a tool which helps us to test possibly vuln links. It’s also bundled with Pentest OSes. You can manually download it from here.

Start sqlmap from terminal with the sqlmap -u "URLHERE" command.
It will scan the link and show you the vulns if is there any. If you find a vuln you can test what are the things you can accomplished with this vuln.

Sqlmap Found Vuln

After you found the vuln you can use sqlmap -u "URL" --dbs command to list dbs on the server which you can access with this vuln. You can list the tables in a db with
sqlmap -u "URL" --tables -d database_name command. You can list the names of columns in a table with
sqlmap -u "URL" --columns -d database_name -T table_name command.

You can get the data in this table with sqlmap -u "URL" --dump -d database_name -T table_name command.

If you have troubles with dumping the data(a empty table for instance) you can try --no-cast parameter or --hex parameter. Also using threads can cause errors on data dump too.

If you have any questions feel free to ask them. Hope you liked this post :)

Originally posted at:

September 17, 2019
Notify of

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Inline Feedbacks
View all comments
© HAKIN9 MEDIA SP. Z O.O. SP. K. 2013