How it works...
SQLMap fuzzes all inputs in the given URL and data, or only the specified one in the -p option, with SQLi strings and interprets the response to discover whether or not there is a vulnerability. It's good practice not to fuzz all inputs; it's better to use SQLMap to exploit an injection that we already know exists and always try to narrow the search process providing all information available to us, such as vulnerable parameters, DBMS type, and others; looking for an injection with all the possibilities open could take a lot of time and generate very suspicious traffic in the network.
In this recipe, we already knew that the username parameter was vulnerable to SQLi (since we used the SQLi test page from mutillidae). In the ...
Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.
Read now
Unlock full access