Features implemented in sqlmap include:
Cookieheader string support, useful when the web application requires authentication based upon cookies and you have such data or in case you just want to test for and exploit SQL injection on such header values. You can also specify to always URL-encode the Cookie.
Set-Cookieheader from the application, re-establishing of the session if it expires. Test and exploit on these values is supported too. Vice versa, you can also force to ignore any
Refererheader value and the HTTP
User-Agentheader value specified by user or randomly selected from a textual file.
Some of these techniques are detailed in the white paper Advanced SQL injection to operating system full control and in the slide deck Expanding the control over the operating system from the database.
xp_cmdshell()stored procedure. Also, the stored procedure is re-enabled if disabled or created from scratch if removed by the DBA.
sys_bineval(). Supported on MySQL and PostgreSQL.
sys_exec()on MySQL and PostgreSQL or via
xp_cmdshell()on Microsoft SQL Server.
smb_relayserver exploit listens. Supported when running sqlmap with high privileges (
uid=0) on Linux/Unix and the target DBMS runs as Administrator on Windows.
sp_replwritetovarbinstored procedure heap-based buffer overflow (MS09-004). sqlmap has its own exploit to trigger the vulnerability with automatic DEP memory protection bypass, but it relies on Metasploit to generate the shellcode to get executed upon successful exploitation.
getsystemcommand which include, among others, the kitrap0d technique (MS10-015).