1

Hi I'm trying to do a SQL injection in a login form.

With BurpSuite I intercept the request:

POST /xxxx/web/Login HTTP/1.1
Host: 10.0.0.70:42020
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:49.0) Gecko/20100101 Firefox/49.0
Accept: application/json, text/plain, */*
Accept-Language: it-IT,it;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: application/json
Referer: http://xxxxxx.com/xxxxxx/
Content-Length: 44
origin: http://xxxxx.com
Connection: close

{"username":"user","password":"pass"}

using:

sqlmap -u requestFile

(where requestFile is the content of the request intercepted with Burp)

sqlmap can't find the injectable field that is password.

I'm sure it's injectable cause if as password I input:

' OR 1=1; -- -

I can login with every username I insert

Tried also with:

{"username":*,"password":*}

but no luck.

What I'm doing wrong?

P.S.

In every POST or PUT request made with browser, a preflight request with method OPTIONS is made. It's made that to bypass CORS problems. Could it affects request made by sqlmap?

ronIDX
  • 111
  • 1
  • 3
  • Something is very off with the double quotes in your code. Check that you have proper double quotes in what you are investigating (and [edit] them here). –  Nov 17 '16 at 14:15
  • Ok correct the double quotes, probably copy and paste from Burp pasted strange double quotes. However sqlmap can't inject it with correct double quotes – ronIDX Nov 17 '16 at 15:05
  • Met the same issue, and `--batch` helped (for whatever reason). My HTTP body looks like `{"username":"rms*","password":"foobar123*"}`, and it becomes something like `{"username":"rms' or 1 = 1 --","password":"foobar123' or 1 = 1 --"}`. – Franklin Yu Oct 03 '17 at 16:16

0 Answers0