The sqlmap command works by submitting requests from a large list of known SQL injection queries. It has been highly optimized over the years to intelligently modify injection attempts based on the responses from previous queries. Performing SQL injection on HTTP POST method parameters is done by manipulating the data that is appended to the end of a POST method request.