The sqlmap tool is perhaps the most complete SQL injection tool available now. It automates the process of discovering a SQL injection flaw, accurately guessing the database type and exploiting the injection flaw to take control over the entire database server. It can also be used as a remote shell once the injection is exploited, or it can trigger a Metasploit payload (such as Meterpreter) for more advanced access.
Some of the features of sqlmap are as follows:
- It provides support for all major database systems
- It is effective on both error-based and blind SQL injection
- It can enumerate table and column names and also extract user and password hashes
- It supports downloading and uploading of files by exploiting an injection flaw