1

I'm currently performing an API Pentest and I suspect an SQLi in one of the API calls. It updates a certain item of the web-service and requires an increase of the version number for each request.

The request body is basically:

{"id":"1234","version":2,"name":"sqli-here*"}

The following request then needs to be: 

{"id":"1234","version":3,"name":"sqli-here*"}

I could use mitmproxy with a script, to automatically increase the version - or manually script the SQLi.

Is there any way I can achieve this with SQLMap or Burp Pro?

user3382203
  • 11
  • 10
Dolores The Third
  • 55
  • 5

1 Answers1

3

You can use the --eval parameter of SQLMap, in theory:

-data='{"id": 1}' --eval "f = open('cnt.txt','r+'); id = int(f.readline()); f.seek(0,0); f.write(str(id+1)); f.close()"

See http://aetherlab.net/2014/07/advanced-sqlmap-features-eval/ for the full details - basically, SQLMap can modify JSON data, and run Python code. The Python code reads a file called cnt.txt (which you have to create manually), then uses the value in it to replace the ID variable, before incrementing the ID variable stored back in the file.

Matthew
  • 27,233
  • 7
  • 87
  • 101
  • Follow-up question. Is there a way I can base the modification on the previous response HTTP code? For example if the last request was answered with HTTP 200 increase the id, if not, do not increase it. – Dolores The Third Nov 30 '18 at 10:29
  • 1
    Don't think so - the response from the server isn't exposed as far as I'm aware. You could potentially chain it through a proxy, and reduce the value stored in the file if the response isn't a 200. – Matthew Nov 30 '18 at 10:46
  • Good idea, that should be pretty straight forward with mitmproxy. Thanks a lot! – Dolores The Third Nov 30 '18 at 11:15