query POST how send object

[kos76]

Hi, I test my site with sqlmap . I try send object with POST requests , and I get on server side empty $_POST.

here console command : python sqlmap.py -r "/opt/lampp/htdocs/sqlmap-dev/_r.txt" -b --dbms=mysql -v 1

in file : POST /api/testSqlMap3 HTTP/1.1 Host: http://mysite User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-GB; rv:1.9.2.6) Gecko/20100628 Ubuntu/10.04 (lucid) Firefox/3.6.6

{"jq":{"Search":false,"nd":1,"PageSize":50,"PageIndex":1,"SortIndex":"","SortOrder":"asc"}}

if I send id=1 or another string or integer parameter - all work good, how do I have to format transmittable object ? And second question: Does SQL map support HTTP PUT and DELETE requests? can I check my site use PUT DELETE requests in sqlmap ?

[stamparm]

With your request file I get:

$ python sqlmap.py -r /tmp/req.txt -t /tmp/traffic.txt
         _
 ___ ___| |_____ ___ ___  {1.0-dev-82abf1f}
|_ -| . | |     | .'| . |
|___|_  |_|_|_|_|__,|  _|
      |_|           |_|   http://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting at 11:06:42

[11:06:42] [INFO] parsing HTTP request from '/tmp/req.txt'
[11:06:42] [INFO] setting file for logging HTTP traffic
JSON data found in POST data. Do you want to process it? [Y/n/q] 
[11:06:43] [INFO] testing connection to the target URL
[11:06:43] [INFO] heuristics detected web page charset 'ascii'
[11:06:43] [WARNING] the web server responded with an HTTP error code (501) which could interfere with the results of the tests
[11:06:43] [INFO] testing if the target URL is stable
[11:06:44] [INFO] target URL is stable
[11:06:44] [INFO] testing if (custom) POST parameter 'JSON nd' is dynamic
[11:06:44] [WARNING] (custom) POST parameter 'JSON nd' does not appear dynamic
[11:06:44] [WARNING] heuristic (basic) test shows that (custom) POST parameter 'JSON nd' might not be injectable
[11:06:44] [INFO] testing for SQL injection on (custom) POST parameter 'JSON nd'
...
HTTP request [#8]:
POST /api/testSqlMap3 HTTP/1.1
Host: 127.0.0.1:8000
Content-type: application/json
User-agent: Mozilla/5.0 (X11; U; Linux x86_64; en-GB; rv:1.9.2.6) Gecko/20100628 Ubuntu/10.04 (lucid) Firefox/3.6.6
Content-length: 107
Connection: close

{"jq":{"Search":false,"nd":"1 AND 7521=2778","PageSize":50,"PageIndex":1,"SortIndex":"","SortOrder":"asc"}}

[stamparm]

Please always use latest revision

[stamparm]

Does SQL map support HTTP PUT and DELETE requests? - yes

Just put DELETE instead of POST in request file or use --method

[kos76]

Thank you very much, I made a mistake in header when I send object and if we send JSON object we must set asterisk.

Thank`s!

[kos76]

@stamparm tell me, please can I use list with marker -r ( Load HTTP request from a file) I have manu urls for checking with POST request and post parameter in these requests.

Something about like marker -m and in file list urls - it`s very good for GET request, but for POST not very good

[char1st]

python sqlmap.py --skip=token --method=POST --data='{"data":{"password":123456,"userName":"test"}}' -u"http://127.0.0.1:8070/api?token=495adfd4272911272965a026e895e1ba"

I want injected with json , but failed . the json value not change version==1.1.4.48#dev