Perform a Scan on a POST Request with sqlmap

Introduction

SQL injection is a critical web security vulnerability that allows an attacker to interfere with the queries that an application makes to its database. While many examples focus on vulnerabilities in URL parameters (GET requests), forms that submit data via POST requests are also common targets.

In this lab, you will learn how to use sqlmap, a powerful open-source penetration testing tool, to automate the process of detecting and exploiting SQL injection flaws. Specifically, you will focus on targeting a web form that uses the POST method to submit data. You will learn how to capture the POST data and provide it to sqlmap to perform a comprehensive scan.

Identify a Web Form Using the POST Method

In this step, you will start a simple web server and identify a web form that uses the HTTP POST method. POST requests are designed to send data to a server to create or update a resource, which makes them a common method for submitting login forms, comments, or any other user-generated content.

First, let's verify that our sample web application is running. We can use curl to fetch the main page.

Execute the following command in your terminal:

curl http://localhost:8000

You should see the HTML source code of a simple login page. Look for the <form> tag within the output.

<!DOCTYPE html>
<html>
  <head>
    <title>Login Page</title>
  </head>
  <body>
    <h2>Login Form</h2>
    <form action="login.php" method="POST">
      <label for="username">Username:</label><br />
      <input type="text" id="username" name="username" /><br />
      <label for="password">Password:</label><br />
      <input type="password" id="password" name="password" /><br /><br />
      <input type="submit" value="Login" />
    </form>
  </body>
</html>

Notice the attribute method="POST" inside the <form> tag. This tells the browser to send the form data using a POST request to the login.php script. Identifying this is the first step in preparing our sqlmap scan. You can also open the Firefox browser from the desktop and navigate to http://localhost:8000 to view the form visually.

Capture the POST Data String Using Browser Developer Tools

In this step, you will learn how to capture the data string sent by a POST request. sqlmap needs this data to know what parameters to test for SQL injection. The easiest way to get this information is by using your browser's built-in developer tools.

1. Open the Firefox browser from the left-hand application dock in your LabEx environment.
2. Navigate to http://localhost:8000.
3. Press F12 or right-click on the page and select "Inspect" to open the Developer Tools.
4. Click on the Network tab in the Developer Tools panel.
5. On the login page, enter some dummy data into the form fields. For example, use test for the username and test for the password.
6. Click the Login button.
7. In the Network tab, you will see a new entry for login.php. Click on it.
8. A new panel will open. Look for a tab named Request or Payload. Here, you will find the form data that was sent to the server. It will look like this:

username=test&password=test

This string, username=test&password=test, is exactly what we need for sqlmap. It contains the parameter names (username, password) and the values you submitted.

For the next step, let's save this data string into a file in your ~/project directory. This is not strictly necessary for using sqlmap but is good practice for keeping track of your findings.

echo 'username=test&password=test' > ~/project/post_data.txt

Use the --data Flag to Specify POST Parameters

In this step, you will construct a basic sqlmap command using the --data flag. This flag is essential for telling sqlmap to send a POST request and what data to include in the request body.

The basic syntax for a POST scan in sqlmap is:

sqlmap -u "TARGET_URL" --data="POST_DATA_STRING"

• -u "TARGET_URL": Specifies the URL that processes the form data. In our case, this is http://localhost:8000/login.php.
• --data="POST_DATA_STRING": Provides the data string you captured in the previous step.

Let's run a command to see how sqlmap processes this information. We will use the data string we found earlier. This command will not perform a full scan yet; it will just help us confirm that sqlmap correctly identifies the POST parameters.

Execute the following command in your terminal:

sqlmap -u "http://localhost:8000/login.php" --data="username=test&password=test"

sqlmap will start and show you some initial information. It will correctly identify that the request is a POST request and will find the parameters username and password. It will then ask you if you want to test them.

[INFO] POST parameter 'username' is dynamic
[INFO] POST parameter 'password' is dynamic
[WARNING] POST parameter 'password' looks like a password field. Do you want to mask its value in further requests? [Y/n] n
[INFO] testing connection to the target URL
sqlmap identified the following injection points with a total of 5 HTTP(s) requests:
---
Parameter: username (POST)
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (subquery)
    Payload: username=-1695' OR 1 GROUP BY CONCAT(0x71787a7a71,(SELECT (CASE WHEN (1695=1695) THEN 1 ELSE 0 END)),0x7170766b71,FLOOR(RAND(0)*2)) HAVING MIN(0)#&password=test

Parameter: password (POST)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: username=test&password=test' AND 2195=2195 AND 'zxcv'='zxcv
---
[INFO] the back-end DBMS is MySQL
web server operating system: Linux
web application technology: PHP 8.1.2
back-end DBMS: MySQL >= 5.0
[INFO] fetched data logged to text files under '/home/labex/.sqlmap/output/localhost:8000'

[*] ending @ ...

You can press n when asked about masking the password and then sqlmap will proceed. For this step, you can let it run or press Ctrl+C to exit after you see it identify the parameters. The key takeaway is understanding how the --data flag works.

Execute the Scan on the Target URL with POST Data

In this step, you will execute a full scan on the target. To make the process smoother and non-interactive, we will add a few more flags to our sqlmap command.

• -p "username": This flag tells sqlmap to focus its testing efforts only on the username parameter. This can save a lot of time if you suspect a specific parameter is vulnerable.
• --batch: This flag automates the process by telling sqlmap to use the default answer for all interactive questions it would normally ask. This is very useful for running unattended scans.

Now, let's combine everything into the final command. We are targeting the login.php URL, providing the POST data, specifying the username parameter for testing, and running it in batch mode.

Execute the following command in your terminal:

sqlmap -u "http://localhost:8000/login.php" --data="username=test&password=test" -p "username" --batch

sqlmap will now begin a comprehensive scan of the username parameter. Because our vulnerable script uses a sleep() function to simulate a database delay, sqlmap will likely use time-based blind injection techniques. This type of scan can take a few minutes, as sqlmap needs to send multiple requests and measure the response time for each to confirm the vulnerability.

You will see output similar to this as it runs:

...
[INFO] testing 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)'
[INFO] POST parameter 'username' appears to be 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)' injectable
...

Let the scan complete. It will confirm that the username parameter is vulnerable.

Analyze the Results for a POST-based SQL Injection

In this step, you will analyze the output from sqlmap to understand the vulnerability it discovered. After the scan from the previous step completes, sqlmap will present a summary of its findings.

The final output will look something like this:

---
Parameter: username (POST)
    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: username=test' AND (SELECT 6113 FROM (SELECT(SLEEP(5)))bYjb) AND 'TEST'='TEST&password=test
---
[INFO] the back-end DBMS is 'MySQL >= 5.0.12'
web server operating system: Linux
web application technology: PHP 8.1.2
back-end DBMS: MySQL >= 5.0
[INFO] fetched data logged to text files under '/home/labex/.sqlmap/output/localhost:8000'

Let's break down this result:

• Parameter: username (POST): This confirms the vulnerability was found in the username parameter of a POST request.
• Type: time-based blind: This is the type of SQL injection. "Blind" means the application does not return database errors in its responses. "Time-based" means sqlmap confirmed the vulnerability by injecting commands that cause a time delay (e.g., SLEEP(5)) and measuring the server's response time.
• Payload: This shows the actual malicious input that sqlmap used to confirm the vulnerability.

sqlmap also saves all session information, including logs and results, to a directory. The location is mentioned in the output, typically ~/.sqlmap/output/. You can inspect this directory to find detailed logs of the scan.

Let's list the contents of the results directory for our target:

ls -l ~/.sqlmap/output/localhost:8000

You will see files like log and session.sqlite. The log file contains a complete record of the scan, which is useful for detailed analysis and reporting.

total 24
-rw-r--r-- 1 labex labex 15589 Dec  6 15:30 log
-rw-r--r-- 1 labex labex  8192 Dec  6 15:30 session.sqlite
-rw-r--r-- 1 labex labex     0 Dec  6 15:29 target.txt

You have now successfully identified and confirmed a POST-based SQL injection vulnerability using sqlmap.

Summary

In this lab, you learned how to use sqlmap to test for SQL injection vulnerabilities in web forms that use the POST method. You successfully identified a POST form, captured the necessary data string using browser developer tools, and used the --data flag in sqlmap to specify the POST parameters. Finally, you executed a scan using the --batch and -p flags for automation and analyzed the results, confirming a time-based blind SQL injection vulnerability. This process is a fundamental skill for web application security testing.