Using sqlmap with login forms
In a previous article we saw how to use sqlmap to exploit vulnerable urls of the form
where the id parameter for example is vulnerable to sql injection.
Now we shall try to do the same thing with forms, especially login forms. Forms often submit data via post, so the sytanx for launching the sqlmap command would be slightly different.
Its important to note that when working with post submissions, the url provided to sqlmap should be the submission url and not the url that loads the form.
So if the form is loaded on a url say
and it submits to the url
Then the url to use with sqlmap is http://www.site.com/form_submit.php
Another thing is to find out the parameters being submitted to the form. This can be easily done with the DOM inspector of chrome or firebug in firefox.
So lets say the injectable parameter is username. The command would be something like
$ python sqlmap.py -u "http://www.site.com/form_submit.php" --data="username=avc"
The data option indicates that it is a post request. Now if you are lucky enough, then sqlmap will detect sql injection quickly enough. However when working with forms and post data, things dont move quickly.
sqlmap may report the parameter as not injectable since unless the correct username is known, the post submission will not produce a proper page or a TRUE page. sqlmap first needs a true page and then it tries to generate a false page and then compares the two pages to confirm that the parameter is injectable.
However we know that the parameter is injectable because we can get inside just by using the magic word.
' or '1'='1
If the first command of sqlmap reports that the parameter is not injectable, then try the magic word as the parameter value
$ python sqlmap.py -u "http://www.site.com/form_submit.php" --data="username=' or '1'='1"
This command should work if the magic word works from the browser.