Note: in this case, option '-u' is used to provide the target URL, while the switch '--batch' is used for skipping any required user-input, by automatically choosing using the default option.
Supported Injection types:
Boolean-based Bling Injection
SQLMap exploits these vulnerabilities through the differentiation of TRUE from FALSE query results.
the differentiation is done by comparing server responses.
TRUE - none to marginal response difference to the regular response
FALSE - substantial difference from regular response.
Error Based:
performed when dbms queries are returned as part of the server response.
Error-based SQLi is considered as faster than all other types, except UNION query-based, because it can retrieve a limited amount (e.g., 200 bytes) of data called "chunks" through each request.
Union based:
extend the original vulnerable query with injected statements' results
additional results can be extracted and displayed on the response page itself.
Stacked:
IN; DROP TABLE users;
Time based:
server response time is checked
TRUE: lot of difference in time
FALSE: no difference in time
Inline queries:
embedded in a query
Out of band:
SQLMap supports out-of-band SQLi through "DNS exfiltration," where requested queries are retrieved through DNS traffic.
By running the SQLMap on the DNS server for the domain under control (e.g..attacker.com), SQLMap can perform the attack by forcing the server to request non-existent subdomains (e.g.foo.attacker.com), wherefoowould be the SQL response we want to receive. SQLMap can then collect these erroring DNS requests and collect thefoopart, to form the entire SQL response.
