Let's test the HTTP GET method request parameters using the sqlmap command:

1. To use sqlmap to test the HTTP GET method parameters, you will need to use the -u argument and the URL to be tested. This URL should include any GET method parameters.

2. Additionally, if the web content is only accessible to an established session, the cookie values that correspond to that session should be supplied with the --cookie argument, as follows:

3. In the example provided, a risk value of 3 and a level value of 5 were used. These values define the riskiness and the thoroughness of the tests performed, respectively. For more detailed information on risk and level, refer the sqlmap man pages or the help file.
4. When running this test, sqlmap quickly identified the backend database as MySQL, and other tests were skipped. If no action is specified, sqlmap will merely determine whether any of the tested parameters are vulnerable, as shown in the previous example.

5. After a series of injection attempts, sqlmap has determined that the id parameter is vulnerable to multiple types of SQL injection. After confirming the vulnerability, action can be taken in sqlmap to start extracting information from the backend database, as follows:

6. In the example provided, the --dbs argument is used to enumerate all available databases that are accessible via an SQL injection. Judging by name, it appears that only one of the listed databases directly corresponds to the DVWA application. We can then focus our subsequent action against that database directly.

7. To extract the table names of all the tables in the DVWA database, we can use the --tables argument to instruct sqlmap to extract the table names and then use the -D argument to specify the database (dvwa) from which to extract the names, as follows:

8. By doing this, we can see that there are two tables present in the DVWA database. These tables include guestbook and users. It is often worth the effort to extract the contents from user tables in databases, as these often have usernames and associated password hashes in their contents.

9. To extract the contents from one of the identified tables, we can use the --dump argument and then the -D argument to specify the database, and the -T argument to specify the table from which to extract the contents, as follows:

The table and its contents are output as follows:

10. Upon identifying that there are password hashes in the contents of the table, sqlmap will provide the option of using the integrated password cracker to perform a dictionary attack against the enumerated password hashes. This can be performed using a built-in word list, a custom word list, or a series of word lists.
11. After performing the dictionary attack, we can see the contents of the table to include the user ID, the username, the location of the user's avatar image, the MD5 hash, the appended cleartext value of that hash, and then the first and last name.