I am currently doing a blackbox test on a web application for training purposes. It's a personal project.
In addition to my manual testing process, I used an automated scanner for detecting obvious vulnerabilities. While this tool only found some basic issues, it also detected a potential SQLi vulnerability which I did not notice before. I am able to reproduce the error using Burp, but I am still not able to extract database data manually. Because of that, I gave sqlmap a shot.
Before I come to my actual question, let me give you some details:
The vulnerability seems to exist in a login form. When the following sequence is POSTed to the form
password=letmein&username=1%c0%00xa7%c0%a2
a mysql error is returned:
Warning: mysql_fetch_array() expects parameter 1 to be resource, boolean given
I have narrowed the sequence down to the byte %c0. This urlencoded value leads to the warning. So far, I am not sure why exactly this value leads to the warning.
The sqlmap setup looks like this:
sqlmap -u http://thehost/include/login.php --method POST --data "password=letmein&username=1%c0%00xa7%c0%a2" -p "username" --dbms=mysql
Which generates requests/payloads in the following form:
[PAYLOAD] 1%c0%00xa7%c0%a2)).("(,)'(
[TRAFFIC OUT] HTTP request [#3]:
POST /include/login.php HTTP/1.1
Host: thehost
Content-type: application/x-www-form-urlencoded; charset=utf-8
Accept: */*
Content-length: 70
Connection: close
What I would like to do/try is change the injection point within the POST data. Is this possible? I know it is possible to specify an injection point within a GET request. Additionally, does anybody have an idea why the injected %c0 byte messes up the query?
thanks