{"id":2412,"date":"2022-09-26T13:37:47","date_gmt":"2022-09-26T11:37:47","guid":{"rendered":"https:\/\/www.dsecbypass.com\/?p=2412"},"modified":"2024-02-07T10:49:21","modified_gmt":"2024-02-07T09:49:21","slug":"sqlmap-advanced-use","status":"publish","type":"post","link":"https:\/\/www.dsecbypass.com\/en\/sqlmap-advanced-use\/","title":{"rendered":"SQLmap: advanced use"},"content":{"rendered":"<p>[et_pb_section fb_built=&#8221;1&#8243; _builder_version=&#8221;4.17.3&#8243; _module_preset=&#8221;default&#8221; custom_padding=&#8221;0px||||false|false&#8221; global_colors_info=&#8221;{}&#8221;][et_pb_row _builder_version=&#8221;4.17.3&#8243; _module_preset=&#8221;default&#8221; custom_padding=&#8221;||88px|||&#8221; global_colors_info=&#8221;{}&#8221;][et_pb_column type=&#8221;4_4&#8243; _builder_version=&#8221;4.17.3&#8243; _module_preset=&#8221;default&#8221; global_colors_info=&#8221;{}&#8221;][et_pb_image src=&#8221;https:\/\/www.dsecbypass.com\/wp-content\/uploads\/2022\/09\/320px-Sqlmap_logo-300&#215;155.png&#8221; alt=&#8221;Prestashop logo&#8221; title_text=&#8221;Prestashop logo&#8221; align=&#8221;center&#8221; _builder_version=&#8221;4.18.0&#8243; _module_preset=&#8221;default&#8221; background_color=&#8221;RGBA(255,255,255,0)&#8221; width=&#8221;50%&#8221; module_alignment=&#8221;center&#8221; global_colors_info=&#8221;{}&#8221;][\/et_pb_image][et_pb_text _builder_version=&#8221;4.23.2&#8243; _module_preset=&#8221;default&#8221; hover_enabled=&#8221;0&#8243; global_colors_info=&#8221;{}&#8221; sticky_enabled=&#8221;0&#8243;]<\/p>\n<p style=\"text-align: justify;\"><a href=\"https:\/\/github.com\/sqlmapproject\/sqlmap\" target=\"_blank\" rel=\"noopener\" title=\"SQL injection tool penetration testing\">SQLmap<\/a> is an automated SQL injection tool.<br \/>It is very practical in <a href=\"https:\/\/www.dsecbypass.com\/en\/website-pentest\/\" title=\"Website security audits\">pentests<\/a> to send a lot of <em>payloads<\/em>, and find injections that would have gone unnoticed with basic manual tests.<br \/>However, some SQL injections require the pentester to <em>script<\/em> the exploit himself: injections too complex to be detected by sqlmap, server too unstable, and other edge cases.<\/p>\n<p style=\"text-align: justify;\">Some lesser known features of SQLmap can still allow its use despite complex use cases.<\/p>\n<p>This article, intended for advanced SQLmap users, details two of them:<\/p>\n<ul>\n<li><a href=\"#tamper\">the app only accepts fully encoded requests<\/a> ;<\/li>\n<li><a href=\"#postprocess\">the result of the injection is only detectable by performing a second complex query (second order with dynamic parameters)<\/a>.<\/li>\n<\/ul>\n<p>[\/et_pb_text][et_pb_text module_id=&#8221;tamper&#8221; _builder_version=&#8221;4.23.2&#8243; _module_preset=&#8221;default&#8221; hover_enabled=&#8221;0&#8243; global_colors_info=&#8221;{}&#8221; sticky_enabled=&#8221;0&#8243;]<\/p>\n<h2 class=\"part\" data-startline=\"14\" data-endline=\"14\">SQLmap request encoding<\/h2>\n<p style=\"text-align: justify;\">A DSecBypass pentester encountered a web application that only accepted <a href=\"https:\/\/www.dcode.fr\/code-base-64\" target=\"_blank\" rel=\"noopener\" title=\"dcode website to manipulate base64 data\">base64-encoded<\/a> HTTP POST request bodies.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/www.dsecbypass.com\/wp-content\/uploads\/2022\/09\/example_base64_POST.png\" alt=\"Base64-encoded HTTP POST body\" class=\"wp-image-2381 alignnone size-full\" width=\"771\" height=\"152\" srcset=\"https:\/\/www.dsecbypass.com\/wp-content\/uploads\/2022\/09\/example_base64_POST.png 771w, https:\/\/www.dsecbypass.com\/wp-content\/uploads\/2022\/09\/example_base64_POST-480x95.png 480w\" sizes=\"(min-width: 0px) and (max-width: 480px) 480px, (min-width: 481px) 771px, 100vw\" \/><\/p>\n<p style=\"text-align: justify;\">In this specific case, SQLmap cannot do anything by default: randomly modifying the request body would make the encoding and the data invalid.<\/p>\n<p style=\"text-align: justify;\">However, manual tests show that behind this block of base64 text hides a JSON object, one of whose parameters is vulnerable to SQL injection.<\/p>\n<p style=\"text-align: justify;\">To overcome this problem, <a href=\"https:\/\/github.com\/sqlmapproject\/sqlmap\/wiki\/Usage#tamper-injection-data\" target=\"_blank\" rel=\"noopener\" title=\"SQLmap documentation about tamper scripts\"><em>tamper<\/em> scripts<\/a> can be used. Initially created to modify <em>payloads<\/em> in order to circumvent application firewalls (WAF), it is possible to create your own script to manipulate the data generated by SQLmap.<\/p>\n<p style=\"text-align: justify;\">Creating and using a Python <em>tamper<\/em> script is simple:<\/p>\n<ul>\n<li style=\"text-align: justify;\">In your working directory, create an empty Python file named &#8220;__init__.py&#8221; ;<\/li>\n<li style=\"text-align: justify;\">Create a Python3 script &#8220;mytamper.py&#8221; with the following content:<\/li>\n<\/ul>\n<p>\n<script src=\"https:\/\/gist.github.com\/vtoutain\/92a65cd9f4ee28f96b9b1c14da5e447b.js\"><\/script>\n<\/p>\n<ul>\n<li>Use this script with the following command being in the same directory as the Python files:<\/li>\n<\/ul>\n<blockquote>\n<pre><span style=\"color: #0000ff;\">sqlmap --random-agent -o -u \"https:\/\/[...]\/application\/process\/\" --data \"*\" --header \"Content-Type: application\/octet-stream\" --method POST --tamper mytamper.py --random-agent<\/span><\/pre>\n<\/blockquote>\n<p style=\"text-align: justify;\">SQLmap then uses our script to modify each test performed before sending it to the server.<\/p>\n<p>[\/et_pb_text][et_pb_text module_id=&#8221;postprocess&#8221; _builder_version=&#8221;4.23.2&#8243; _module_preset=&#8221;default&#8221; hover_enabled=&#8221;0&#8243; global_colors_info=&#8221;{}&#8221; sticky_enabled=&#8221;0&#8243;]<\/p>\n<h2>Two-step injections<\/h2>\n<p style=\"text-align: justify;\">SQLmap natively offers a solution for &#8216;<a href=\"https:\/\/github.com\/sqlmapproject\/sqlmap\/wiki\/Usage#second-order-attack\" target=\"_blank\" rel=\"noopener\" title=\"SQLmap documentation second-order injections\">second-order<\/a>&#8216; injections, ie SQL injections that are exploitable because a second, vulnerable query uses the result of a first, non-vulnerable one.<\/p>\n<p style=\"text-align: justify;\">The tool then proposes the &#8216;<em>&#8211;second-url<\/em>&#8216; or &#8216;<em>&#8211;second-req<\/em>&#8216; parameters to fetch the result of the injection respectively by a GET on a URL or by replaying the request contained in a file (like <em>&#8216;-r<\/em>&#8216;).<\/p>\n<p style=\"text-align: justify;\">This already covers a lot of use cases, however a DSecBypass pentester encountered an application with second-order SQL injection whose second request requires a parameter update.<\/p>\n<p><div id=\"attachment_2390\" style=\"width: 429px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" aria-describedby=\"caption-attachment-2390\" src=\"https:\/\/www.dsecbypass.com\/wp-content\/uploads\/2022\/09\/example_requete_1_POST.png\" alt=\"Example POST request with an injectable parameter\" class=\"wp-image-2390 size-full\" width=\"419\" height=\"147\" srcset=\"https:\/\/www.dsecbypass.com\/wp-content\/uploads\/2022\/09\/example_requete_1_POST.png 419w, https:\/\/www.dsecbypass.com\/wp-content\/uploads\/2022\/09\/example_requete_1_POST-300x105.png 300w\" sizes=\"(max-width: 419px) 100vw, 419px\" \/><p id=\"caption-attachment-2390\" class=\"wp-caption-text\">First POST request (the payload is stored in database)<\/p><\/div><div id=\"attachment_2392\" style=\"width: 422px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" aria-describedby=\"caption-attachment-2392\" src=\"https:\/\/www.dsecbypass.com\/wp-content\/uploads\/2022\/09\/example_requete_2_POST.png\" alt=\"Second order POST request example\" class=\"wp-image-2392 size-full\" width=\"412\" height=\"153\" srcset=\"https:\/\/www.dsecbypass.com\/wp-content\/uploads\/2022\/09\/example_requete_2_POST.png 412w, https:\/\/www.dsecbypass.com\/wp-content\/uploads\/2022\/09\/example_requete_2_POST-300x111.png 300w\" sizes=\"(max-width: 412px) 100vw, 412px\" \/><p id=\"caption-attachment-2392\" class=\"wp-caption-text\">Second POST request (a vulnerable SQL request uses the stored result of our first request)<\/p><\/div><\/p>\n<p>&nbsp;<\/p>\n<p style=\"text-align: justify;\">The second image shows the ts parameter, derived from the Unix <em>timestamp<\/em>. If it is invalid, the request is not accepted and SQLmap will not be able to correctly exploit the injection.<\/p>\n<p style=\"text-align: justify;\">Fortunately, the tool offers a mechanism of last resort: <a href=\"https:\/\/github.com\/sqlmapproject\/sqlmap\/wiki\/Usage#postprocess-response\" title=\"Postprocess SQLmap documentation\" target=\"_blank\" rel=\"noopener\"><em>postprocessing<\/em> scripts<\/a>.<\/p>\n<p>It is again quite simple to use:<\/p>\n<ul>\n<li>In your working directory, create an empty &#8220;__init__.py&#8221; file<\/li>\n<li>Create a Python3 script &#8220;mypostproc.py&#8221; with the following content:<\/li>\n<\/ul>\n<p>\n<script src=\"https:\/\/gist.github.com\/vtoutain\/78e7858fa05eb44f32dd17a7c0d5edac.js\"><\/script>\n<\/p>\n<ul>\n<li>We exploit the injection with the following SQLmap command (use of &#8220;<em>-r<\/em>&#8221; to indicate to SQLmap to work from a file from the first HTTP request)<\/li>\n<\/ul>\n<blockquote>\n<pre><span style=\"color: #0000ff;\">sqlmap -r sqli_my_application --force-ssl --dbms postgresql --level 5 --risk 2 --postprocess mypostproc.py --current-user --technique \"ST\"<\/span><\/pre>\n<\/blockquote>\n<p style=\"text-align: justify;\">Note that this technique works with all types of injection, even time-based since SQLmap will also take into account the execution time of the <em>postprocessing<\/em> script.<\/p>\n<p style=\"text-align: justify;\">If you are using a proxy with SQLmap, it is also possible to specify it in the Python call to <em>requests<\/em> with the &#8220;proxies&#8221; argument.<\/p>\n<p>[\/et_pb_text][\/et_pb_column][\/et_pb_row][et_pb_row _builder_version=&#8221;4.17.3&#8243; _module_preset=&#8221;default&#8221; global_colors_info=&#8221;{}&#8221;][et_pb_column type=&#8221;4_4&#8243; _builder_version=&#8221;4.17.3&#8243; _module_preset=&#8221;default&#8221; global_colors_info=&#8221;{}&#8221;][et_pb_text _builder_version=&#8221;4.23.2&#8243; _module_preset=&#8221;default&#8221; hover_enabled=&#8221;0&#8243; global_colors_info=&#8221;{}&#8221; sticky_enabled=&#8221;0&#8243;]<\/p>\n<p style=\"text-align: justify;\"><span>\ud83d\udee1\ufe0f DSecBypass accompanies you on the <a href=\"https:\/\/www.dsecbypass.com\/en\/website-pentest\/\" title=\"Website penetration test\">security audit of your Web applications<\/a>. Do not hesitate to <a href=\"https:\/\/www.dsecbypass.com\/en\/contact\/\">contact <\/a>us for additional information and\/or a personalized quote \ud83d\udcdd.<\/span><\/p>\n<p>[\/et_pb_text][\/et_pb_column][\/et_pb_row][et_pb_row _builder_version=&#8221;4.17.3&#8243; _module_preset=&#8221;default&#8221; global_colors_info=&#8221;{}&#8221;][et_pb_column type=&#8221;4_4&#8243; _builder_version=&#8221;4.17.3&#8243; _module_preset=&#8221;default&#8221; global_colors_info=&#8221;{}&#8221;][et_pb_button button_url=&#8221;https:\/\/www.dsecbypass.com\/en\/contact\/&#8221; button_text=&#8221;CONTACT US&#8221; button_alignment=&#8221;center&#8221; _builder_version=&#8221;4.17.4&#8243; _module_preset=&#8221;default&#8221; custom_button=&#8221;on&#8221; button_text_size=&#8221;13px&#8221; button_bg_color=&#8221;#4328b7&#8243; button_border_width=&#8221;10px&#8221; button_border_color=&#8221;#4328b7&#8243; button_border_radius=&#8221;0px&#8221; button_letter_spacing=&#8221;2px&#8221; button_font=&#8221;Titillium Web|700||on|||||&#8221; background_layout=&#8221;dark&#8221; global_colors_info=&#8221;{}&#8221;][\/et_pb_button][\/et_pb_column][\/et_pb_row][\/et_pb_section]<\/p>\n","protected":false},"excerpt":{"rendered":"<p>SQLmap is an automated SQL injection tool.<br \/>\nIt is very practical in pentests to send a lot of payloads, and find injections that would have gone unnoticed with basic manual tests.<br \/>\nHowever, some SQL injections require the pentester to script the exploit himself: injections too complex to be detected by sqlmap, server too unstable, and other edge cases.<\/p>\n<p>Some lesser known features of SQLmap can still allow its use despite complex use cases.<\/p>\n","protected":false},"author":4,"featured_media":2380,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_et_pb_use_builder":"on","_et_pb_old_content":"","_et_gb_content_width":"","footnotes":""},"categories":[34],"tags":[],"class_list":["post-2412","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-blog-en"],"_links":{"self":[{"href":"https:\/\/www.dsecbypass.com\/en\/wp-json\/wp\/v2\/posts\/2412","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.dsecbypass.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.dsecbypass.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.dsecbypass.com\/en\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"https:\/\/www.dsecbypass.com\/en\/wp-json\/wp\/v2\/comments?post=2412"}],"version-history":[{"count":23,"href":"https:\/\/www.dsecbypass.com\/en\/wp-json\/wp\/v2\/posts\/2412\/revisions"}],"predecessor-version":[{"id":3243,"href":"https:\/\/www.dsecbypass.com\/en\/wp-json\/wp\/v2\/posts\/2412\/revisions\/3243"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.dsecbypass.com\/en\/wp-json\/wp\/v2\/media\/2380"}],"wp:attachment":[{"href":"https:\/\/www.dsecbypass.com\/en\/wp-json\/wp\/v2\/media?parent=2412"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.dsecbypass.com\/en\/wp-json\/wp\/v2\/categories?post=2412"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.dsecbypass.com\/en\/wp-json\/wp\/v2\/tags?post=2412"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}