Menu
I was trying to run sqlmap with method POST but I got this error:
[CRITICAL] no parameter(s) found for testing in the provided data (e.g. GET parameter 'id' in 'www.site.com/index.php?id=1')
Now, I know that for POST method I must run sqlmap with data flag (e.g --data="name=value")
but my form input data has no name and data is send as a string.
How can I use sqlmap in this situation?
731
You can use asterisks * to specify your injection point. Try this:
python sqlmap.py -u "http://www.example.com/index.php?id=1" --data="POST_STRING_HERE*" --dbs
Note the * in the data string. SQL map will ask if you want to process the wild cards, enter Y there. It will ignore all the parameters and inject the payloads in place of *.
From the docs:
Append an asterisk, *, to the place where sqlmap should check for injections in URI itself. For example, ./sqlmap.py -u "http://target.tld/id1/1*/id2/2", sqlmap will inject its payloads at that place marked with * character. This feature also applies to POST data. Multiple injection points are supported and will be assessed sequentially.
61
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
