1

After hours of trial an error I decided to ask here for some advice. I am currently trying to perform a sqlinj using using sqlmap on a system that was specifically designed to be attacked. The API states:

Method: GET
/users/>user_id</payments/>payment_token<

>user_id<: [int]
>payment_token<: [string]

Basically using the following command I can obtain information about a users payments:

curl -X GET 'https://123.123.123.123/users/2/payments/38d9f72f-cd26-fghf-a01f-804a9874eb0c' -H 'Authorization: Bearer abcdefghijklmop' -i -k

The token at the end is required for a valid request to perform any of the api requests. So what I did was logging the request by adding the -v at the end of my curl command. This gave me the following request header:

GET /users/2/payments/38d9f72f-cd26-fghf-a01f-804a9874eb0c HTTP/1.1
Host: 123.123.123.123 
User-Agent: curl/7.64.0
Accept: */*
Authorization: Bearer abcdefghijklmop

I want to now check all parameters for vulnerabilities, so I tried to put the request in a txt file and than ran sqlmap like so:

sqlmap -r "/home/user/Documents/Pentesting/Results/header.txt" --risk=3 --level=3 --force-ssl -v 1

However this doesn't find anything. What else can I try? How do I explicitly state that sqlmap should try to inject every parameter?

header.txt looks like so:

GET /users/user_id=*/payments/payment_token=* HTTP/1.1
Host: 123.123.123.123
User-Agent: curl/7.64.0
Accept: */*
Authorization: Bearer abcdefghijklmop

Any advice?

n00b.exe
  • 141
  • 1
  • 2
  • 4

1 Answers1

0

By default sqlmap tests all GET parameters and POST parameters. 

Source: https://github.com/sqlmapproject/sqlmap/wiki/Usage (Injection -> Testable Parameters)

It would seem the issue isn't specifying that sqlmap needs to test all parameters.

I would suggest checking what the request headers look like, when you run your last command.

EDIT: I typically don't see variables replaced with asterisk in the file.

Daisetsu
  • 5,110
  • 1
  • 14
  • 24