search

sqlmapproject / sqlmap

Automatic SQL injection and database takeover tool
http://sqlmap.org
Other
31.98k stars 5.68k forks source link

[Question] Path Fragment input #5257

Closed 12553240Kj closed 1 year ago

12553240Kj commented 1 year ago

Hello. Acunetix found a vulnerability. Can you tell me how I can exploit it in sqlmap?

URL:
https://site.com/
Parameter:
**/<s>/<n>-[*]/**

Attack Details
Path Fragment input /<s>/<n>-[*]/ was set to d'|a|'ark-yellow

GET /schuh/88-d'|a|'ark-yellow/
Original value: dark-yellow 

Tests performed:

    dark-yellow'||' => TRUE
    dark-yellow'|||' => FALSE
    dark-yellow'||''||' => TRUE
    dark-yellow'||'000247'||' => FALSE
    '||''||'dark-yellow => TRUE
    zzz'||'000247'||'dark-yellow => FALSE
    dark-yellow000247 => FALSE
    d'||'ark-yellow => TRUE
    d'|a|'ark-yellow => FALSE
stamparm commented 1 year ago

1) "acunetix found" can mean anything. if sqlmap fails, then stick to acunetix 2) you can put custom injection marker anywhere inside the URL, like:

python sqlmap.py -u https://site.com/dark-yellow*