Tell me more ×
IT Security Stack Exchange is a question and answer site for IT security professionals. It's 100% free, no registration required.
up vote 1 down vote favorite

I was wondering whether sqlmap is able to test HTTP headers for sql vulnerabilities. I know that if I use --level>=3 then it will automatically check for User-Agent and Referer HTTP headers, but I would also like to check for others.

I've found the --header options, which I can use to specify the headers that will be sent in requests, but I have no idea whether sqlmap will actually test those headers. Let's say I want to add a header:

CustomHeader: testing

to the http request. I would add the --headers="CustomHeader: testing" to the sqlmap command line and then I could specifically tell sqlmap to test for the SQL vulnerabilities in CustomHeader HTTP header with the -p option, like this:

Testable parameter(s)

Switch: -p

By default sqlmap tests all GET parameters and POST parameters. When the value of --level is >= 2 it tests also HTTP Cookie header values. When this value is >= 3 it tests also HTTP User-Agent and HTTP Referer header value for SQL injections. It is however possible to manually specify a comma-separated list of parameter(s) that you want sqlmap to test. This will bypass the dependence on the value of --level too.

For instance, to test for GET parameter id and for HTTP User-Agent only, provide -p id,user-agent.

So the command could be:

-p customheader

Does anybody know how to actually test custom HTTP headers with sqlmap?

Thank you

share|improve this question
I love sqlmap and I use it regularly, but I have no idea if it will test header elements. However! this is very easy to test. Just write a simple web app that records the values for an arbitrary header field. – Rook Jan 22 at 16:39
Yes, this would be easy to test, but I'm very skeptical about whether it actually does this; which is why I'm asking here how to do that, if it can be done by sqlmap at all. – eleanor Jan 22 at 16:44
there is a very good chance that it does. But you need to test it. There are smart people on SO/SE, but there is not guarantee of correctness unless you do it yourself. – Rook Jan 22 at 16:45

2 Answers

up vote 0 down vote accepted

Below is a snippet of code from ./sqlmap/lib/controller.py that defines the --level behavior:

enter image description here

It appears custom header injection is supported (as of just a week ago - so do a git pull):

now it's possible to do something like this:

--user-agent="sqlmap*"
or
--referer="target.com*"
or
--headers="User-Agent:test*\nReferer:bla"
or
--headers="Foo:bar*"
or (mark with asterisk character * inside request file):
-r request.txt
or
..

share|improve this answer
up vote 1 down vote

It is my understanding that SQLmap currently only supports testing of three Header fields. From the manual:

"Tests provided GET parameters, POST parameters, HTTP Cookie header values, HTTP User-Agent header value and HTTP Referer header value to identify and exploit SQL injection vulnerabilities. It is also possible to specify a comma-separated list of specific parameter(s) to test"

So, UserAgent, Cookies and Referer. You can set custom header fields using the headers=HEADERS option however in my testing this didn't test the given field for injection but instead just sent the value supplied.

I recently wrote a tool to audit all HTTP header fields but the number of tests it preforms is pale in comparison to SQLmap. Currently it just tests for error based SQLi but will also throw some null bytes at the header fields as well. However, it will test all header fields including any custom fields. Should you care to check it out you can find the code here:

https://github.com/nopslip/pyLobster

Also, I believe this tool may offer some of the features you are looking for.

http://code.google.com/p/enema/

I don't think that it will currently test all header fields but i'm not 100% sure on that. My guess is that Enema's SQLi tests are also far more extensive than with pyLobster.

share|improve this answer
Thank you for your comment, but I really have to accept the answer from Tate. I will definitely take a look at the tools you mentioned. thanks – eleanor Jan 26 at 8:27

Your Answer

 
discard

By posting your answer, you agree to the privacy policy and terms of service.

Not the answer you're looking for? Browse other questions tagged or ask your own question.