current community

your communities

more stack exchange communities

Stack Exchange
tour help
Take the 2-minute tour ×
Information Security Stack Exchange is a question and answer site for Information security professionals. It's 100% free, no registration required.
up vote 0 down vote favorite

I have a parameter in a POST request which is in the following format:

ParamName= < r username="123" password="456" x="" y=""/>

and I want to test username and password which are two HTML input controls on the webpage using SQLmap. how should I use sqlmap for this kind of requests or for example JSON parameters which are like parametername={ username:value1 , password:value2}?

share|improve this question
    
can you post the HTTP request? –  cengizUzun Feb 18 at 13:14
    
next time give heads up after editing your post... –  cengizUzun Feb 18 at 13:58

2 Answers 2

up vote 0 down vote accepted

You can simply use a text file with your HTTP request in it and add a * to where you want sqlmap to perform the injection. Then start sqlmap with the -r http_request.txt option.

As an example for the file:

POST / HTTP/1.1
Host: www.example.com

parametername={username:*, password:*}
share|improve this answer
up vote 0 down vote

Here this is a simpler tool for sql injection testing

You can also manullay try changing the request as fallows (and with different variations by using cheat sheets avaliable on the Internet )

ParamName= < r username="123" and ""="## password="456" x="" y=""/>

hashtags will (yeah its no more number sign or pound key :( ) tell sql to ignore the rest so it will take it as right.

user can also input (123" and ""=" ) from the interface for username and your code would add final " which would do the same affect with example above

etc... Google sql injection cheat sheet and examples...

share|improve this answer

Your Answer

 
discard

By posting your answer, you agree to the privacy policy and terms of service.

Not the answer you're looking for? Browse other questions tagged or ask your own question.