I'm using the following command to inject the Username
parameter:
sqlmap -r Path_Of_Myfile -p UserName
It's running well. But there's also a second parameter of Password
. How can I also attempt to inject the Password
parameters in sqlmap?
I'm using the following command to inject the Username
parameter:
sqlmap -r Path_Of_Myfile -p UserName
It's running well. But there's also a second parameter of Password
. How can I also attempt to inject the Password
parameters in sqlmap?
You can just comma-separate the parameters you want to test.
In a GET request:
$ sqlmap -u "http://example.com/?a=1&b=2&c=3" -p "a,b"
In a POST request:
$ sqlmap -u "http://example.com/" --data "a=1&b=2&c=3" -p "a,b" --method POST
...
[13:37:54] [WARNING] heuristic (basic) test shows that POST parameter 'a' might not be injectable
...
[13:37:59] [WARNING] heuristic (basic) test shows that POST parameter 'b' might not be injectable
...
Both examples would test the specified parameters a
and b
, but ignore c
. (I also put them into double quotes which isn't actually necessary on Linux.)