sql-injection sqlmap: Updated Mon, 23 May 2022 18:37:16 GMT

How to make sqlmap exploit an SQLi vulnerability

I have found a simple boolean blind SQL vulnerability and want to let sqlmap do the iterating for me but it doesn't seem to work, I have the impression it tries to start at a point that I'm far beyond. Here are the details. The vulnerability is like this

http://host/path?param=123

and I can query like this

http://host/path?param=123' or 10 = (select len(system_user()));--

(URL encoded of course). If the second or condition is true I'll get somewhere in the response "Found 1000 hits". If it is false there will be "Found 0 hits". So now I can easily do a binary search with

http://host/path?param=123' or 100 < (select ascii(substring(system_user(), 1, 1));--

character per character (it is MS SQL Server in case you haven't noticed). This looks so bloody easy I cannot understand that sqlmap keeps telling me "param doesn't seem to be injectable". Here is the sqlmap call I've tried:

sqlmap -u "http://host/path?param=123" -p param --current-user --dbms mssql --prefix="123' or " --suffix=";--" --risk 3 --level 2

I've played with --risk, --level and --technique=B and also --string="Found 1000 hits". Nothing helps. How can I tell sqlmap to not search for anything but just do this silly iteration?

Solution

Injection points as simple as your example can certainly be picked up by sqlmap.

Here are some troubleshooting ideas:

Could the server use a WAF or otherwise react to the sqlmap user-agent (sqlmap/x.x)? Use --user-agent to specify the same user-agent as your browser has (or a generic one).
Does the server react differently on rapid consecutive HTTP requests? You can use --delay to specify a delay interval between requests.
For such a straightforward injection you usually don't need to specify --prefix and --suffix. Better omit them to not mess with sqlmap's own process of analysis.
Try to omit --dbms mssql if you're not 100% sure about the backend DBMS. sqlmap can usually figure that out itself.
Could the requests be authenticated or depend on some cookie settings you're unaware of? Use --cookie to add the same cookies that might be set in your browser.
Debug the requests and responses by sqlmap and compare them with what you're getting in your browser. You can set a high output verbosity level (e.g. -v 6) to overserve the entire HTTP traffic.

Use curl to verify that the manual injection generally works outside your browser. E.g.:

curl "http://host/path?param=123' or 10 = (select len(system_user()));--" | grep "1000 hits"

Comments (2)

+0 – I have tested it in Burp and also extracted some data that way, so there definitely IS an SQL injection. From the functions I used (and which worked) I can say it is MSSQL. — May 18, 2017 at 10:54
+0 – Works now with the params --technique=B --level=5 --risk=3 --random-agent --dbms=MSSQL --delay 2 -p param. I was too careful not providing --risk = 5. — May 18, 2017 at 11:00

External Links

External links referenced by this document:

https://github.com/sqlmapproject/sqlmap/wiki/Usage#output-verbosity

References

https://security.stackexchange.com/questions/159823