SQL shell

One of the cool features in SQLMap is the SQL shell. The SQL shell basically invokes the built-in SQL interactive interpreter and it is presented in such a way that it feels like interacting with a database SQL utility.

The interpreter is invoked by using --sql-shell. Let's check this out as follows:

./sqlmap.py -u http://192.168.50.2/Less-1/?id=2  --sql-shell

The output is shown in the following screenshot:

That example makes data retrieval with an injection look so simple. However, there are some quirks with this. Since typically most SQL injection issues are based on SELECT queries, the SQL shell might not work with other type of options ...

Get Mastering Modern Web Penetration Testing now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.

Start your free trial

Mastering Modern Web Penetration Testing by Prakhar Prasad

SQL shell

Don’t leave empty-handed

It’s yours, free.

Check it out now on O’Reilly