Sqlmap: POST Request just sends a single parameter

Created on 10 Aug 2017  Â·  7Comments  Â·  Source: sqlmapproject/sqlmap

Hey over there,

I'm unsure if I am just blind at the moment or if I didn't understand an important part somewhere, but the scenario is that I'm pretty sure I found a 0day (SQLi) in a WordPress plugin. Just wanted to test it with sqlmap before reporting it to the developer.

What's the problem (or question)?

I'm sending a POST Request to the admin-ajax.php file of WordPress with two parameters necessary for WP in order to parse a shortcode and the WordPress cookie.
Scan is finished an sqlmap says it's probably not possible to inject SQL in the parameter I was testing. It was somewhat surprising, especially after taking a look into the logs of my local webserver, where I was testing the WordPress plugin. So I added the -v parameter with a value of 6 to see what's going on there.
Well, when actually starting to test the parameter, sqlmap just sends that particular parameter, not the other one. That's why WordPress is just responding with 0. Is this expected behaviour? Shouldn't it send both parameters even though it is just scanning one parameter at a time?

How can we reproduce the issue? / Running context details

python[.exe] sqlmap.py -u "http://wordpress.app/wp-admin/admin-ajax.php" --cookie "[...]" --data="action=parse-media-shortcode&shortcode=[[...] id=\"2\"]" -p shortcode -v 6
First [...] is my cookie and second [...] would contain the actual WordPress shortcode name.

After firing the command, sqlmap perfectly understands what's going on:
It appears that provided value for POST parameter 'shortcode' has boundaries. Do you want to inject inside? ('[[...] id="2*"]') [y/N]. I want to inject SQL at that exact point.
It also works fine, when sqlmap is testing the connection:
http://fs5.directupload.net/images/170810/hxjbbvva.png
Both parameters are there. After that (when the actual tests begin), sqlmap just sends one parameter:
shortcode=%5B[...]%20id=%222.%22%2C.%29%2C%27%2C.%28%22%5D. This is the reason why WordPress responds with 0, the admin-ajax.php needs the other parameter (action=parse-media-shortcode) to understand what it should do. No wonder it said, that it can't be injected.

Am I missing a sqlmap parameter in the wiki or what am I doing wrong?

Sorry, if this was a dumb question, I never experienced this problem before and googling didn't help.
Thanks in advance!

bug miscellaneous normal

Most helpful comment

Fixed

All 7 comments

I had an issue similar to this once, just didn't have time to create an issue

0day .
you are happy..

Fixed

@wenre it wasn't that hard to find and it's not that special.

@stamparm thanks a lot for your fast reaction!
When I'm testing on the second parameter, it now prefixes the query with the second parameter.

The first data in the test now looks like this:
shortcode=action=parse-media-shortcode&shortcode=%5B[...]%20id=%222%29.%27.%22%29.%28%2C%2C%22%5D.
Should be something like this:
action=parse-media-shortcode&shortcode=%5B[...]%20id=%222%29.%27.%22%29.%28%2C%2C%22%5D.

Will fix later today

On Aug 11, 2017 13:46, "Paul" notifications@github.com wrote:

@wenre https://github.com/wenre it wasn't that hard to find and it's
not that special.

@stamparm https://github.com/stamparm thanks a lot for your fast
reaction!
When I'm testing on the second parameter, it now prefixes the query with
the second parameter.

The first data in the test now looks like this:
shortcode=action=parse-media-shortcode&shortcode=%5B[...]%
20id=%222%29.%27.%22%29.%28%2C%2C%22%5D.
Should be something like this:
action=parse-media-shortcode&shortcode=%5B[...]%20id=%222%
29.%27.%22%29.%28%2C%2C%22%5D.

—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
https://github.com/sqlmapproject/sqlmap/issues/2654#issuecomment-321791451,
or mute the thread
https://github.com/notifications/unsubscribe-auth/AA4P0xiVze1kJ3-7Ug9FXWee3ARrZvOBks5sXD70gaJpZM4Oz3e4
.

@pajoda sorry for waiting. Been on vacation. It should be fixed now with the latest revision.

@stamparm no problem at all. You're doing a great job here!

Was this page helpful?
0 / 5 - 0 ratings