I am trying to understand how SQLmap works.
For example, sqlmap finds injection on my site -
Place: GET
Parameter: selected
Type: UNION query
Title: MySQL UNION query (NULL) - 5 columns
Payload: act=il&ed=1' LIMIT 1,1 UNION ALL SELECT CONCAT(0x3a6,0x579786e676651,0x373a), NULL, NULL, NULL, NULL#
Using SQLmap, I can dump databases, but how to dump the same databases from the browser? I tried to put the following link into the browser but it didn't work -
http://www.site.com/index.php?act=il&ed=1' LIMIT 1,1 UNION ALL SELECT CONCAT(0x3a6,0x579786e676651,0x373a), NULL, NULL, NULL, NULL#
I do not get any result at all in my browser. I trying different ways to put /**/ and + and etc but suck.
How to get links which Sqlmap sending for a penetration test?
How to exploit a simple select version() query with this injection?
Maybe this isn't really working?
The link you're attempting (unless there's a copy and paste error) is not a valid URL and is not how the actual SQL command is transformed in the browser.
IF you want to know what SQLmap is actually sending, I recommend that you run one of tcpdump/tshark/wireshark on the relevant interface to see what is actually being sent over the wire. This is the best way to understand what these tools actually do. For example, something like
sudo tcpdump -s0 -Xnnpi eth0 -w /var/tmp/sqlmap.pcap port 80
will work.
On the other hand, simply open Wireshark and capture on the eth0
interface. The actual traffic will show up in the Application Layer
in Wireshark.
In order to exploit the application as you asked, you need to correctly format your URL so that it's encoded correctly and the web app can transform it to send it to the database. See this link for testing SQL Injection using the URL bar in a browser and here's another cheat sheet.
I believe sqlmap
is working, it's very good.
Disclaimer: I'm trusting that you're either legally authorised to do this testing or it's in a lab environment.