Sqlmap traffic capture

Question

I am trying to understand how SQLmap works.

For example, sqlmap finds injection on my site -

Place: GET
Parameter: selected
    Type: UNION query
    Title: MySQL UNION query (NULL) - 5 columns
    Payload: act=il&ed=1' LIMIT 1,1 UNION ALL SELECT CONCAT(0x3a6,0x579786e676651,0x373a), NULL, NULL, NULL, NULL#

Using SQLmap, I can dump databases, but how to dump the same databases from the browser? I tried to put the following link into the browser but it didn't work -

http://www.site.com/index.php?act=il&ed=1' LIMIT 1,1 UNION ALL SELECT CONCAT(0x3a6,0x579786e676651,0x373a), NULL, NULL, NULL, NULL#

I do not get any result at all in my browser. I trying different ways to put /**/ and + and etc but suck.

• How to get links which Sqlmap sending for a penetration test?

• How to exploit a simple select version() query with this injection?

• Maybe this isn't really working?

Answer 1

I believe you can try increasing the verbosity of your sqlmap query.

this should be -v=4

Here is the official usage description of the feature: https://github.com/sqlmapproject/sqlmap/wiki/Usage#output-verbosity

Option: -v

This option can be used to set the verbosity level of output messages. There exist seven levels of verbosity. The default level is 1 in which information, warning, error, critical messages and Python tracebacks (if any occur) are displayed.

0: Show only Python tracebacks, error and critical messages.

1: Show also information and warning messages.

2: Show also debug messages.

3: Show also payloads injected.

4: Show also HTTP requests.

5: Show also HTTP responses' headers.

6: Show also HTTP responses' page content.

Answer 2

The link you're attempting (unless there's a copy and paste error) is not a valid URL and is not how the actual SQL command is transformed in the browser.

IF you want to know what SQLmap is actually sending, I recommend that you run one of tcpdump/tshark/wireshark on the relevant interface to see what is actually being sent over the wire. This is the best way to understand what these tools actually do. For example, something like

sudo tcpdump -s0 -Xnnpi eth0 -w /var/tmp/sqlmap.pcap port 80

will work.

On the other hand, simply open Wireshark and capture on the eth0 interface. The actual traffic will show up in the Application Layer in Wireshark.

In order to exploit the application as you asked, you need to correctly format your URL so that it's encoded correctly and the web app can transform it to send it to the database. See this link for testing SQL Injection using the URL bar in a browser and here's another cheat sheet.

I believe sqlmap is working, it's very good.

Disclaimer: I'm trusting that you're either legally authorised to do this testing or it's in a lab environment.