Running sqlmap against a parameter inside a parameter

Question

I have a domain in the format: example.com?host=http://anotherexample.com?bar=1

I want to attack the "bar" param, but sqlmap (correctly) parses the second url as a value of the foo param. Therefore I can't select the bar variable with the -p argument.

Any way around this?

In response to one answer, the resulting command is like so:

sqlmap -v -p user -u "example.com?host=?user=1" --prefix="http://anotherexample.com/debug"

This isn't valid, as the first param must be a ? for the url to be valid, and the remaining params but be &'s.

you specify the parameter to attack as "user" but want to attack the parameter "host". If you change that, and set the prefix and suffix accordingly, it should work — Denis, Sep 27 '18 at 14:57

Denis · Answer 1 · 2018-09-27T15:00:18.507

Use the sqlmap pre- and suffix options

Sqlmap offers the options "--prefix" and "suffix" that according to the manual

--prefix=PREFIX     Injection payload prefix string
--suffix=SUFFIX     Injection payload suffix string

can be used to prepend or append a string to the injection payload.

So if you run your query with:

python sqlmap.py -p host -u "example.com?host=" --prefix "http://anotherexample.com?bar=1" --suffix "&restoftheurl=whatever"

sqlmap should construct the parameter in the format you are looking for.

So for the example injection payload ' AND 7235=7235-- the options create a request to the url

example.com?host=http://anotherexample.com?bar=1' AND 7235=7235--&restoftheurl=whatever

(in the real request the special characters and spaces of the URL parameter will be URL encoded).

Note: You might need to URL encode the special characters in the pre- and suffix options.

Unfortunately this doesn't work, I have updated my question with more information :D — Cathal, Sep 27 '18 at 14:37

Running sqlmap against a parameter inside a parameter

1 Answers1