the404hacking / sqlmap Goto Github PK

What's the problem (or question)?

Does sqlmap have the ability to exploit sqli vulnerabilities using " instead of '?

For example, I know there is a mysql sqli vulnerability at http://natas15.natas.labs.overthewire.org/index.php (this is a pen testing lab/training site specifically for trying to find and exploit vulnerabilities) using:

" union SELECT sleep(1000000), "a

but when I try to use sqlmap to speed up exploitation/exfiltration, sqlmap doesn't see the sqli vuln.

Do you have an idea for a solution?

If sqlmap already does this, then any idea why the tool doesn't spot the sqli at that location when I know it's there. Anyway, if sqlmap isn't trying " in it's injection attempts, possibly make that an option? like --quote-type where default is '

How can we reproduce the issue?

1. Browse to ttp://natas15.natas.labs.overthewire.org/index.php
2. Username is natas15, Password is AwWj0w5cvxrZiONgZ9J5stNVkmxdk39J
3. For username here, enter: " or "a" = "a
4. Click "check existence" button
5. Go back
6. For username, now enter: " union SELECT sleep(1000000), "a
7. Clearly exploitable
8. Using Burp or some other tool, grab the request and create a request.txt file
9. Run sqlmap -r request.txt -p username

What are the running context details?

• Installation method
  git clone

• Client OS
  fedora 31

• Program version
  sqlmap --version
  1.4.7.12#dev

• Target DBMS
  mysql

• Detected WAF/IDS/IPS protection
  unknown - but i was able to execute timebased sqli scripted to get what i needed, so i don't think there's a waf blocking

• SQLi techniques found by sqlmap
  none - sqlmap did not identify any sqli vulns

• Results of manual target assessment
  found that the payload username=" or "a"="a works

• Relevant console output (if any):
  none

• Exception traceback (if any):
  none