6

I would like to use sqlmap and set parameters, that are concatenated inside the URL parts.

I know that a following URL is possible to track with defining of parameter by putting an asterisk behind the parameter value:

sqlmap -u http://example.com/article/22565*/

But what about URLs, that have numbers and alias strings concatenated all together?

I would like to test, whether injections can me made on this URL:

http://example.com/alias-text-22565/description

A bold number is a dynamic parameter. This parameter is read on server side using regex.

How to define parameters inside URL, so sqlmap knows what are the real parameters in this manner?

Note: Currently I am not capable to test a website with SEF URLs rewriting switched off.

pedrouan
  • 113
  • 8

1 Answers1

1

AFAIK it should work out of the box as sqlmap keeps the values, however, on the chance that it doesn't work, here are some easy work arounds that come to mind:

  1. You could tweak the url by appending an injection to be more sql injection friendly to begin with, ie: http://example.com/alias-text-22565-(case when 1=1* then 1)/description as described here: http://pentestmonkey.net/blog/exploiting-a-tricky-sql-injection-with-sqlmap. This is the method I usually use, but it does require you to have some knowledge of sql injections.

  2. You could feed sqlmap through an intercepting proxy such as burp or zap and add a replace rule to replace 22565 with alias-text-22565 and invoke sqlmap with the url http://example.com/22565*/description

  3. You could write a quick tamper script that would prepend alias-text- to the url and invoke sqlmap with the url http://example.com/22565*/description

wireghoul
  • 5,745
  • 2
  • 17
  • 26