How to test POST parameters for SQL injection?

Harris's Avatar


29 Nov, 2012 11:43 AM

I know there is a specific sql injection on a POST parameter and I wanted to test arachni to see if it can find the injection. However, I can't find a way to test POST http parameters on a specific URL. I have used a vectorfeed (YAML file) which looks like:

=================================== type: form
method: post

post_this: "parameter1=49851&parameter2=1234"

Then I execute the following CLI command:


./arachni --plugin=vector_feed:yaml_file='test.yml' --link-count=0 --cookie-string='xxxxxxxxxxxx' --modules=sql*

Any ideas how to test POST parameters ?


  1. 1 Posted by Harris on 29 Nov, 2012 11:48 AM

    Harris's Avatar

    oops sorry for the bad formatting of the original post.


  2. Support Staff 2 Posted by Tasos Laskos on 29 Nov, 2012 12:01 PM

    Tasos Laskos's Avatar

    You misunderstood the example, your file should look like this:

    type: form
    method: post
        parameter1: 49851
        parameter2: 1234

    Give this a try and let me know.

  3. 3 Posted by Harris on 29 Nov, 2012 12:33 PM

    Harris's Avatar


    Thanks for the quick reply. The YAML file is parsed successfully now but the injection is not discovered unfortunately.

    I have tested with sqlmap which can find an
    "error-based - Parameter replace" MYSQL injection on the first parameter. The tool then extracts all data from the database.

    In any case, arachni looks like a very promising tools which I will be using in my ethical testing together with other tools.

    Any ideas on how to improve detection success?


  4. Support Staff 4 Posted by Tasos Laskos on 29 Nov, 2012 12:41 PM

    Tasos Laskos's Avatar

    I'd be very surprised is this is caused by a detection failure, it's most likely a configuration error.
    Could you tell me the URL you're testing in order to reproduce this issue?
    (You can send it via e-mail if you prefer.)

  5. 5 Posted by Harris on 29 Nov, 2012 12:54 PM

    Harris's Avatar

    Well this is an internal web application and I'm doing authenticated test (I'm logged inside the application) so its kind of difficult to give you any URLs.

  6. Support Staff 6 Posted by Tasos Laskos on 29 Nov, 2012 12:56 PM

    Tasos Laskos's Avatar

    Hm ok then, try using the --debug flag to see what's being injected where to make sure that the input you want gets audited.
    Better yet, upload that output here so I can have a look too.

  7. Support Staff 7 Posted by Tasos Laskos on 01 Jun, 2013 10:07 PM

    Tasos Laskos's Avatar

    Hey man, have you made any progress on this?

  8. Support Staff 8 Posted by Tasos Laskos on 19 Jul, 2013 07:39 PM

    Tasos Laskos's Avatar

    Closing this since I can't reproduce and I'm lacking the necessary feedback in order to troubleshoot.

  9. Tasos Laskos closed this discussion on 19 Jul, 2013 07:39 PM.

Comments are currently closed for this discussion. You can start a new one.

Keyboard shortcuts


? Show this help
ESC Blurs the current field

Comment Form

r Focus the comment reply box
^ + ↩ Submit the comment

You can use Command ⌘ instead of Control ^ on Mac