sql-injection sqlmap: Updated Wed, 05 Oct 2022 10:11:30 GMT

SQLMAP setting parameter

I am testing my own flask application that should be vulnerable.

I am using this in SQlmap:

sqlmap -u "https://test.heroku.com/checkusername/student*"

but the requests with payloads I am receiving contain student+payload. I think it's not working for this reason.

I tried

sqlmap -u "https://test.heroku.com/checkusername/*"

but got 404 and the test ended.

Do you know how to deal with this?

Example of request I got

GET /loggin/student%20AND%202788%3D%28SELECT%20%28CASE%20WHEN%20%282788%3D2788%29%20THEN%202788%20ELSE%20%28SELECT%209168%20UNION%20SELECT%209538%29%20END%29%29--%20lGfn

Solution

Sqlmap will deploy the payload on your custom marked location, so in your example, sqlmap performs as expected. According to the documentation, your first command seems correct for marking the URI injection point. It will attempt a lot of payloads, some of which will be added after 'student'. For SQL injection, this is generally not a problem.

It might be easier for your tests to let the application work with GET parameters, such sqlmap could be deployed without custom marker. For example:

sqlmap -u "https://test.heroku.com/checkusername?username=student"

External Links

External links referenced by this document:

https://github.com/sqlmapproject/sqlmap/wiki/Usage#uri-injection-point

References

https://security.stackexchange.com/questions/263974