Let's automate the testing of HTTP POST method request parameters using the sqlmap command:

1. To perform an SQL injection attack on a service using the HTTP POST method, we will need to define the string of POST parameters using the --data argument.
2. The login application in Mutillidae offers a login interface that transmits a username and password over the POST method. This will be our target for our SQL injection attack. Have a look at the following example:

The output of sqlmap has been truncated for space, following we can see the continuation of sqlmap's output to include vulnerabilities found:

3. If no action is specified, sqlmap will merely determine whether any of the tested parameters are vulnerable, as shown in the previous example. After a series of injection attempts, sqlmap has determined that the username POST parameter is vulnerable to both boolean-blind and error-based injection techniques.
4. After confirming the vulnerability, actions can be taken in sqlmap to start extracting information from the backend database, as follows:

The output of the sqlmap command has been truncated. In the next screenshot, we see more of the output generated by the command, including available databases:

5. In the example provided, the --dbs argument is used to enumerate all available databases that are accessible via SQL injection. We can then focus our subsequent actions against a specific database directly.
6. To extract the table names of all the tables in the owasp10 database, we can use the --tables argument to instruct sqlmap to extract the table names and then use the -D argument to specify the database (owasp10) from which to extract the names, as follows:

The output of the sqlmap command has been truncated. In the following screenshot, we can see the tables associated with the owasp10 database:

7. By doing this, we can see that there are six tables present in the owasp10 database. These tables are accounts, blog_table, captured_data, credit_cards, hitlog, and pen_test_tools. The obvious table name that will probably catch the eye of most of us is the credit_cards table.
8. To extract the contents from one of the identified tables, we can use the --dump argument and then the -D argument to specify the database, and the -T argument to specify the table from which to extract the contents, as follows:

The sqlmap command's output has been truncated. In the next screenshot, we see the contents of the credit_cards table in the owasp10 database: