0

NOTE: Attempted on METASPLOITABLE's Mutillidae

I attempted to use SQLmap to inject into mutilidae's "User info" page.

I had already attempted manual injection, and the vulnerable parameters are USERNAME and PASSWORD.

while I used the -u command on SQLmap only parameter PAGE was considered as a GET parameter by SQLmap which in turn (as expected) led to it saying the url was not injectable.

Later upon usage of Burp proxy and running SQLmap via -r request command, everything works fine for the exact same URL.

I am confused as to how these two commands work, and what was supplied in -r command that made it possible to successfully inject which was not in the -u URL I supplied.

When should I use which command?

Using -u command to check for vulnerability

sqlmap -u http://xxx.xxx.2.9/mutillidae/index.php?page=user-info.php&username=a&password=b&user-info-php-submit-button=View+Account+Details

Using -r command

sqlmap -r /root/Desktop/user.request

user.request contained the following:

GET /mutillidae/index.php?page=user-info.php&username=a&password=b&user-info-php-submit-button=View+Account+Details HTTP/1.1
Host: xxx.xxx.2.9
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://xxx.xxx.2.9/mutillidae/index.php?page=user-info.php&username=a&password=b&user-info-php-submit-button=View+Account+Details
Cookie: PHPSESSID=cb55bd05e9618af173600ba757e996c1
Connection: close
Upgrade-Insecure-Requests: 1
If-Modified-Since: Thu, 31 May 2018 06:13:15 GMT
ivan_pozdeev
  • 33,874
  • 19
  • 107
  • 152
Madhan
  • 1
  • 1
  • 2
  • Please add your code so we can help you. Thanks! – Ignacio Ara May 31 '18 at 07:09
  • hey! just added the command i passed (edited out the IP address with xxx,the rest remain unchanged) – Madhan May 31 '18 at 07:29
  • I did use the --skip command to skip parameter "page" and resolve it, but the question remains, why does -u fail if the first parameter is not injectable. bug? – Madhan May 31 '18 at 10:42
  • This question appears to be off-topic because it is not within the bounds of discussion as described in the help center. –  May 31 '18 at 16:24
  • Can you guide me as to where I can find a solution? any other forums for the same? Thanks! (i am new to this site) – Madhan May 31 '18 at 18:26

1 Answers1

0

It look like you are missing the cookie in the -u portion:

Cookie: PHPSESSID=cb55bd05e9618af173600ba757e996c1

Add the following arguments to your command:

sqlmap --headers="User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0" --cookie="PHPSESSID=cb55bd05e9618af173600ba757e996c1" -u 'http://xxx.xxx.2.9/mutillidae/index.php?page=user-info.php&username=a&password=b&user-info-php-submit-button=View+Account+Details' --level=5 risk=3

The level and the risk are extreme and force Sqlmap to use pretty much everything it has to test your client machine...in this particular context you don't really need them, but its good to be aware of.

If you want to specify a parameter that you want Sqlmap to test use the -p option for example: 

-p username

Finally to answer the second part of your question when should you use -r vs -u, that really is a user choice, you may find it more convenient to dump your HTTP information into a file and read directly from it (the primary usage of -r) or you may find that you want more control over what you are sending and want to tweak it on the command-line (the primary usage of -u)

Bob
  • 388
  • 5
  • 19