TransWikia.com

Sqlmap and multipart/form-data forms

Information Security Asked by Brigante on January 8, 2021

I’m working on some security for a website that is built in classic ASP and MS SQL 2000.

I’ve successfully found a couple of flawed forms that allowed SQL injections through the form fields by using Sqlmap with the following commands:

python sqlmap.py -u "URL TO FORM" --forms --level=5 --risk=3 --batch

python sqlmap.py -u "URL TO FORM" --forms --dbs --level=5 --risk=3 --batch

Now I’m trying to check another form that is using the multipart/form-data encoding type.

Sqlmap can’t inject anything into this form but as it’s using a different encoding type I don’t know if it’s because of the encoding type or because Sqlmap can’t handle this form type?

The form does use concatenated queries so in my mind it should be unsecure but the Sqlmap result have thrown me a bit.

Does anyone know if I have to use a different command on this kind of form or can Sqlmap not be used here?

Just a quick update. This is the message I get from Sqlmap:

[WARNING] heuristic (basic) test shows that (custom) POST parameter 'MULTIPART #1*' might not be injectable

Then it continues to perform the tests until it starts over with:

[WARNING] heuristic (basic) test shows that (custom) POST parameter 'MULTIPART #2*' might not be injectable
penetration testsql injection

2 Answers

This is a good example of why penetration testers are not supposed to be fully reliant on tools as they often lead to false negatives. In this case, a possible vulnerable parameter would be regarded safe due to the obsurity of the said "encoding" type of the form that throws off SQL Map.

My recomendation would be to utilize a manual traffic interception proxy such as Burp Suite or Paros in order to better understand the data communicated and modify it then.

Refer to a SQLI cheatsheat for the exact syntax to test against.

Answered by Rohan Durve on January 8, 2021

Why don't you do it Manually ?? . It's Pretty Simple plus will give you better understanding what sort of Filtering is Present in the back end and what can be done to bypass it . Right now you are simply relying on tool to give you result . If you are involved in pen testing the application , Beware , there still might be bugs . And if you are doing it for Fun , why not learn as well .

Use Burp or Tamper data see the request and reponse , play along with it and you will understand the application better .

Answered by oldnoob on January 8, 2021

Add your own answers!

Ask a Question

Get help from others!

Recent Answers

Recent Questions

© 2024 TransWikia.com. All rights reserved. Sites we Love: PCI Database, UKBizDB, Menu Kuliner, Sharing RPP