I manually found an injection point, on CTF VM, located on POST form. I found it with the following manual payload :
1' OR SLEEP(1)-- t
I would like to use
sqlmap. I ended with following call :
sqlmap -u "http://shop.home/shop/administrator/" --data "username=1&password=2" --level=5 --risk=3 --dbms mysql --technique T -vvv -p "username,password"
datato ensure POST is used, with try to inject on username and password params.
- Rise up
riskto extend perimeter
- Focus on MySQL dbms as I’m pretty sure it is (I tried without)
- Focus on time-based techniques as I found one
Among all tries, I saw this one :
(PAYLOAD) 2' OR SLEEP(5)-- daCv
It’s exactly the one showing injection, and if I try using Burp I get the timed response evidence.
sqlmap does not pick it up and it ends showing nothing found.
I’m aware of similar questions (such as this one) but in my case, I know for sure it is time based injection. I also tried with
I think I got the heuristic
sqlmap approach overview : I will try with given value in order to get “valid” request, then build according to this metrics the vulnerable response profile.
How can I tweak
sqlmap to find and exploit this particular injection point?