Collaborate Disseminate
I’m trying to make scans using Sqlmapapi. I have added a new task, and when I call /option/$taskId/list in response, I receive JSON output with options that can be set.
I could not find any information on how can I do it. How to call API t… Continue reading Sqlmapapi configuring task options
I have been using sqlmap for analyzing simple API Post requests which contain simple body parameters inside a json.
For example:
POST //api/Manage/GetUsersList HTTP/1.1
Host: qaapi.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; … Continue reading SQL for JSON parameters which contain arrays
I am new to SQLMAP, I have been practicing with the Altoro Mutual portal which is a vulnerable portal, just enter the code ‘OR 1 = 1 – in one of its forms (Login) and we will obtain administrator access to the portal.
Altoro M. Login
sqlma… Continue reading Sqlmap, All tested parameters do not appear to be injectable
I manually found an injection point, on CTF VM, located on POST form. I found it with the following manual payload :
1′ OR SLEEP(1)– t
I would like to use sqlmap. I ended with following call :
sqlmap -u "http://shop.home/shop/admini… Continue reading Sqlmap won’t pick up injection point. Tweak?
Long story short, I scanned a website and found an sql injection bug. (Did it several times and that was the only thing I could find).
So I used sqlmap to retrieve databases, tables, and columns. This website is using Oracle database. (Ora… Continue reading Stuck with salted hashes and can’t go any further (via SQLMAP and Sql Injection) [closed]
How would you delete a database, create a database, etc. in the sql shell of sqlmap?
I’m attacking an application that reads in application/msbin1 (binary) requests of a form like
@\x17GetConfigurationSetting\x08\x1ehttp://tempuri.org/@\x04name\x99\x0einjection_site\x01
(where \x.. is a single byte character, generally in… Continue reading Sqlmap request and binary payload tampering
I recently discovered an time-based blind SQL injection attack on one of the websites. I was able to dump the data with 100 threads (By default, SQLmap doesn’t allow more than 10 but, I modified the source code) running in parallel at a ra… Continue reading SQLMap – Invalid character detected. retrying
I am training for OSCP and starting by attacking some machines on the Hack the Box (HTB) platform https://app.hackthebox.eu/
I am trying to attack a box called Vaccine, which is vulnerable to SQL injection.
I have verified the box is runni… Continue reading Hack the Box (Vaccine) – Without using sqlmap
I have a scenario where I’m testing for injection points but the authentication form has a challenge token that refreshes with each GET. The credentials are sent in a POST accompanied by that challenge token received in the previous GET to… Continue reading Multi stage/request SQLmap with challenge