How to include multiple parameters in sqlmap POST request

Question

I'm using the following command to inject the Username parameter:

sqlmap -r Path_Of_Myfile -p UserName

It's running well. But there's also a second parameter of Password. How can I also attempt to inject the Password parameters in sqlmap?

score 21 · Accepted Answer · answered Jan 10 '18 at 22:36

You can just comma-separate the parameters you want to test.

In a GET request:

$ sqlmap -u "http://example.com/?a=1&b=2&c=3" -p "a,b"

In a POST request:

$ sqlmap -u "http://example.com/" --data "a=1&b=2&c=3" -p "a,b" --method POST
...
[13:37:54] [WARNING] heuristic (basic) test shows that POST parameter 'a' might not be injectable
...
[13:37:59] [WARNING] heuristic (basic) test shows that POST parameter 'b' might not be injectable
...

Both examples would test the specified parameters a and b, but ignore c. (I also put them into double quotes which isn't actually necessary on Linux.)

How to include multiple parameters in sqlmap POST request

1 Answers1