21

Is it possible to test for SQL injection vulnerabilities with using sqlmap with a url that is using mod rewrite (or something like it) to make the urls clean?

I know how to test my sites that have urls like: http://mysite.com/?id=1

But what about my sites that have clean urls, like: http://mysite.com/1

AviD
  • 72,138
  • 22
  • 136
  • 218
chadgh
  • 319
  • 1
  • 2
  • 4
  • I haven't had to deal wit this before, but i would just throw it through burp or some other proxy and see how it places it's calls.... then act accordingly. – Ormis Aug 02 '11 at 17:02
  • I guess I don't know what your talking about. I know how the parameters are parsed and used (it is my website), but, to be clear, my question is can sqlmap be used to test for sql injections for sites with url rewrites (and how). – chadgh Aug 02 '11 at 17:33
  • This question is confusing. (It's hard to tell what you mean by "clean".) After re-reading it several times, I'm guessing you might mean that the web server is rewriting URLs to embed all request parameters into the path itself, instead of using standard HTTP syntax for request parameters (e.g., `http://mysite.com/path/doit&a=foo&b=bar&c=baz` becomes `http://mysite.com/path/doit/foo/bar/baz`, or something like that). Is that the issue? – D.W. Aug 02 '11 at 19:21
  • This is common not just with mod-rewrite, but also with any MVC framework... Are you asking specifically about using sqlmap for this, or any SQLi pentesting in general? – AviD Aug 07 '11 at 14:27

4 Answers4

25

You should use * in your URI, creating URI injection point(s). So instead of using:

sqlmap.py -u "website.com/script/paramrewrited1/paramrewrited2"

use: 

sqlmap.py -u "website.com/script/paramrewrited1*/paramrewrited2*"

See sqlmap wiki for more usage options. From that page:

URI injection point

There are special cases when injection point is within the URI itself. sqlmap does not perform any automatic test against URI paths, unless manually pointed to. You have to specify these injection points in the command line by appending an asterisk (*) after each URI point that you want sqlmap to test for and exploit a SQL injection.

This is particularly useful when, for instance, Apache web server's mod_rewrite module is in use or other similar technologies.

An example of valid command line would be:

$ python sqlmap.py -u "http://targeturl/param1/value1*/param2/value2/"
TildalWave
  • 10,801
  • 11
  • 45
  • 84
dz.
  • 261
  • 2
  • 2
3

If I understand your question, I believe sqlmap is not designed to deal with this situation (where the web server does not follow web standards for how to represent request parameters). So, I can think of a few options:

  1. Turn off URL rewriting. Temporarily turn off request parameter rewriting on your web server (if there's an easy way to do that), to let you run sqlmap.

  2. Try POST requests. You showed us that your web server encodes request parameters for GET requests in a non-standard fashion. How does it encode request parameters for POST requests? If it conveys web server encodes request parameters in a more standard fashion, and if every request is accessible via both GET and POST (a misconfiguration, but a common one), you may be test your server by sending POST requests instead of GET requests. See the --data option to sqlmap.

  3. Use some other tool. Look for some other tool, since sqlmap doesn't seem designed for this particular case.

  4. Modify sqlmap. sqlmap is open source. You could dive into the source code and extend it to support the use case you have in mind. (You might want to look at the code that handles the -p option to sqlmap.) Heck, it is free; you have to expect that if you have an unusual situation, it might not already handle it, and you might have to do a little bit of work on your own. If you follow this route, give back to the community by donating your code to the sqlmap maintainers.

D.W.
  • 98,420
  • 30
  • 267
  • 572
-1

You run into this often due to search engine optimization (SEO).

For example, instead of the following:

http://www.com/index.phpoption=com_blahbla&Item=2&ItemId=5

You see:

http://www.website.com/index,51,blabla

or

http://website.com/guestbook/page2

In this type of scenario, one must examine the applicable source code.

A determination must be made about:

  1. Which component is currently active;
  2. Which parameter is applicable; and
  3. What their current values are.

On a Joomla based website the following code would be assessed:

<input type="hidden" name="option" value="com_blabla" />
<input type "hidden" name="ItemId" Value="5" />
<input type="hidden" name="Item" Value="2" /> 
<input type="hidden" Name="entry" Value="451" />
<input type="hidden" Name="view" Value="entries" />

Once this determination is made, the URL can be reconstructed to its original form and, if vulnerable, successfully exploited.

http://www.website.com/index.phpoption=com_blabla&Itemid=5&ItemId=2&Entry=451&View=Entries
TildalWave
  • 10,801
  • 11
  • 45
  • 84
user46414
  • 1
-1

There's no need to reconstruct the URL. SQLMAP accepts the following variations:

www.target1.com/vuln1.php?q=foobar www.target2.com/vuln2.asp?id=1 www.target3.com/vuln3/id/1*

Source: https://github.com/sqlmapproject/sqlmap/wiki/Usage

Thundercat
  • 1