I have a parameter in a POST request which is in the following format:
ParamName= < r username="123" password="456" x="" y=""/>
and I want to test username and password which are two HTML input controls on the webpage using SQLmap. how should I use sqlmap for this kind of requests or for example JSON parameters which are like parametername={ username:value1 , password:value2}?
You can simply use a text file with your HTTP request in it and add a * to where you want sqlmap to perform the injection. Then start sqlmap with the -r http_request.txt option.
As an example for the file:
POST / HTTP/1.1 Host: www.example.com parametername={username:*, password:*} -r option, you will have to put the --data part in the request file. If you're using the -u option, this will work as you would expect.CommentedJul 21, 2015 at 9:23Here this is a simpler tool for sql injection testing
You can also manullay try changing the request as fallows (and with different variations by using cheat sheets avaliable on the Internet )
ParamName= < r username="123" and ""="## password="456" x="" y=""/>
hashtags will (yeah its no more number sign or pound key :( ) tell sql to ignore the rest so it will take it as right.
user can also input (123" and ""=" ) from the interface for username and your code would add final " which would do the same affect with example above
etc... Google sql injection cheat sheet and examples...
