I manually found an injection point, on CTF VM, located on POST form. I found it with the following manual payload :
1' OR SLEEP(1)-- t
I would like to use sqlmap. I ended with following call :
sqlmap -u "http://shop.home/shop/administrator/" --data "username=1&password=2" --level=5 --risk=3 --dbms mysql --technique T -vvv -p "username,password"
- Specify
datato ensure POST is used, with try to inject on username and password params. - Rise up
levelandriskto extend perimeter - Focus on MySQL dbms as I'm pretty sure it is (I tried without)
- Focus on time-based techniques as I found one
Among all tries, I saw this one :
[PAYLOAD] 2' OR SLEEP(5)-- daCv
It's exactly the one showing injection, and if I try using Burp I get the timed response evidence.
Nonetheless, sqlmap does not pick it up and it ends showing nothing found.
I'm aware of similar questions (such as this one) but in my case, I know for sure it is time based injection. I also tried with tamper charencode.
I think I got the heuristic sqlmap approach overview : I will try with given value in order to get "valid" request, then build according to this metrics the vulnerable response profile.
How can I tweak sqlmap to find and exploit this particular injection point?
