0

I am testing my own flask application that should be vulnerable.

I am using this in SQlmap:

sqlmap -u "https://test.heroku.com/checkusername/student*"

but the requests with payloads I am receiving contain student+payload. I think it's not working for this reason.

I tried

sqlmap -u "https://test.heroku.com/checkusername/*"

but got 404 and the test ended.

Do you know how to deal with this?

Example of request I got

GET /loggin/student%20AND%202788%3D%28SELECT%20%28CASE%20WHEN%20%282788%3D2788%29%20THEN%202788%20ELSE%20%28SELECT%209168%20UNION%20SELECT%209538%29%20END%29%29--%20lGfn

PasWei
  • 722
  • 3
  • 14
fagner nunes
  • 3
  • 2
  • 1
    sqlmap appears to have done exactly what you asked it to do... Perhaps you should have used some GET or POST parameters instead of injecting in the URL's path? – wireghoul Aug 08 '22 at 05:18

1 Answers1

0

Sqlmap will deploy the payload on your custom marked location, so in your example, sqlmap performs as expected. According to the documentation, your first command seems correct for marking the URI injection point. It will attempt a lot of payloads, some of which will be added after 'student'. For SQL injection, this is generally not a problem.

It might be easier for your tests to let the application work with GET parameters, such sqlmap could be deployed without custom marker. For example:

sqlmap -u "https://test.heroku.com/checkusername?username=student"

Wouter
  • 397
  • 1
  • 12