Form based SQL Injection with Sqlmap

In previous post we have seen the basic tutorial of Sqlmap and the exploitation.

The exploitation was about the GET request or where the vulnerable parameter is passing in the URL. There is another aspect of Sql Injection where it happens in form based submissions. In more technical terms a POST request where the certain parameters are being sent to server. In this post we will exploit form based SQL Injection with Sqlmap.

This post could have been delayed without the help of Kunal Pachauri, so just a shoutout for him before I start this post.

Sql Injection using method flag in sqlmap

Lets suppose we have a website which has below form based submission and search feature.(I have used XVWA for this).

Once we submit the form we can see the below request in BurpSuite.

From here we can follow two approaches to run the sqlmap and exploit.

Exploiting with –method flag

We will run below command to check if it is vulnerable to Sql Injection.

sqlmap -u "" --method -post --data "item=1&search="

It gives me below result after enumerating the details of the application and the database.

We will confirm further by adding –dbs flag at the end, eventually it will give all the databases present.

sqlmap -u "" --method -post --data "item=1&search=" --dbs

Oh yeah ! We are getting the desired results. We can follow the steps mentioned in the previous post for further exploitation.

Now we will discuss the other way if you are not willing to enter –method or –data.

Form based Sql Injection with text file

I find this approach quite simple. We just need to create a text file and put the complete request in it.

Now run the below command.

sqlmap -r sql.txt -p item

and it gives below result, perfect.

sqlmap -r sql.txt -p item --dbs

Excellent, I hope this post will turn useful for everyone. There are lot of things coming up in terms of Advanced usage of Sqlmap. Any questions or suggestions are always welcomed.

Just to repeat: Make sure you run this tool only when you have proper permissions from the owner of the application. (No unethical activities please. :P)