Monday, 12 September 2011

Using sqlmap for testing HTTPS sites

Update: By default, sqlmap supports SSL. Somehow it didn't worked for my friend. So I tried with --proxy option to find alternate way.

Last week, one of my friends asked me how to use sqlmap against HTTPS sites? I never tried that one but was sure that there will be a way to do it. I quickly checked sqlmap documentation and came across --proxy switch.

Somehow my friend didn't managed to work sqlmap with --proxy switch, So i decided to try it out myself.

The first thing i did was to read sqlmap documentation about --proxy switch.


It's pretty straight to use --proxy switch. It just need to provide proxy details as http://<proxy IP>:<port>. I used burp to test this.

The target site was running on 192.168.20.129. It has a search page which was vulnerable to SQL Injection and that page has used POST method.


To run sqlmap, i used following command:
./sqlmap.py -u "https://192.168.20.128/1/index.jsp" --data "word=test" --proxy "http://127.0.0.1:8080"

where -u is target URL, --data is POST data and --proxy is burp proxy details.

Lets' run it.


It works and sqlmap detected the back-end database as MySQL 5.0.

Hope you will find this useful.

2 comments:

  1. When I tried the URL over SSL it shows following error:
    [16:33:37] [CRITICAL] connection timed out to the target url or proxy, sqlmap is going to retry the request

    And entire website was over HTTPS so ended up writing a script in fiddler. I guess something is screwed up in my windows. Here is the fiddler script:
    static function OnBeforeRequest(oSession: Session){
    if (oSession.HostnameIs('www.demo.com')){
    if(!oSession.isHTTPS){
    if(oSession.fullUrl == "http://www.demo.com/vulpage.asp"){
    oSession.fullUrl = "https://www.demo.com/vulpage.asp"
    }}}}

    ReplyDelete
  2. This article is very informative and cool. Thanks for share this beautiful article.
    eMp3World UK proxy

    ReplyDelete