SQL Injection
An infamous and simple attack where code is injected where data should be, rewriting the SQL Query
Last updated
An infamous and simple attack where code is injected where data should be, rewriting the SQL Query
Last updated
You can run a raw request through sqlmap with cookies and POST to find any injection:
--level=5 tests more inputs, like HTTP headers
--risk=3 tests more injection payloads
Use UNION SELECT statements to alter the returned content on the site, with an XSS payload for example.
Also try 'Second-Order' injection, by doing another injection inside of your UNION content if not all values can be altered (see the writeup above)
Some scenarios where you can bypass character limits using functions or special syntax.
+ here means supported in more than just the mentioned DB backend.
Quotes (' & ") like "j0r1an":
Use 0x6a307231616e in MySQL: CyberChef
Use char(106,48,114,49,97,110) in SQLite+: CyberChef
While most inputs are as simple as a query or body parameter, not all flows are like this. Interactions sometimes require special headers or formatting of the input, or the result of your action might only be visible on a different page. In these scenarios, SQLMap can fall short in its customization because it simply does not support everything.
One clever solution to this is from a case where the hacker had to automate a blind SQL injection over a websocket. These are normally not possible in SQLMap, so you might think you need to create a custom script to extract all data slowly. While this is possible, an easier alternative is to create a wrapper script that makes it easy for SQLMap.
By creating a simple web server with a single query parameter as the payload, you can implement the full interaction in Python and then send back the result to SQLMap. You may do this for any kind of complex interaction with a server like this:
Then run your server locally, and target it instead of the regular target to proxy the traffic with your custom format and logic:
Warning: Performing this technique multiple times may make SQLMap cache results from a previous run because the same localhost URL is used. To ensure it starts completely fresh, clear the session every time using the --flush-session argument.
Tricks specific to the SQLite database backend.
While looking through the documentation, you might notice functions that seem to have the ability to run arbitrary code on the system. The catch is that these methods are only possible using the sqlite3 CLI tool by default, only with some very specific configuration will they be available through a normal library that uses the safer C-API behind the scenes.
SQLite uses the C-API for all the heavy work, and the CLI as well as libraries are just wrappers over this. The load_extension() function is special as it can only be called after calling the enable_load_extension() function from the C-API, which is not available in SQL syntax. Fortunately, the CLI enables this automatically which means that if we are able to inject code into such a query, we can load extensions.
These extensions are simply compiled C code in the form of .so files, with an init function:
Then from inside a CLI query, we can call the function with a path to the compiled extension:
The CLI also includes an extra special function used for editing data interactively, which allows its 2nd argument to decide what command to run! It is very straightforward to exploit:
