Home → Questions →

How to test POST parameters for SQL injection?

• Edit

Harris

29 Nov, 2012 11:43 AM

I know there is a specific sql injection on a POST parameter and I wanted to test arachni to see if it can find the injection. However, I can't find a way to test POST http parameters on a specific URL. I have used a vectorfeed (YAML file) which looks like:

=================================== type: form
method: post
action: https://website.com/postscript.php
inputs:

post_this: "parameter1=49851&parameter2=1234"

Then I execute the following CLI command:

==========================================

./arachni --plugin=vector_feed:yaml_file='test.yml' --link-count=0 --cookie-string='xxxxxxxxxxxx' --modules=sql* https://website.com/postscript.php

Any ideas how to test POST parameters ?

Thanks

1. 1 Posted by Harris on 29 Nov, 2012 11:48 AM

   

   oops sorry for the bad formatting of the original post.

   Harris

   • Edit

2. Support Staff 2 Posted by Tasos Laskos on 29 Nov, 2012 12:01 PM

   

   You misunderstood the example, your file should look like this:

   type: form
   method: post
   action: https://website.com/postscript.php
   inputs:
       parameter1: 49851
       parameter2: 1234
   

   Give this a try and let me know.

   • Edit

3. 3 Posted by Harris on 29 Nov, 2012 12:33 PM

   

   Tasos,

   Thanks for the quick reply. The YAML file is parsed successfully now but the injection is not discovered unfortunately.

   I have tested with sqlmap which can find an
   "error-based - Parameter replace" MYSQL injection on the first parameter. The tool then extracts all data from the database.

   In any case, arachni looks like a very promising tools which I will be using in my ethical testing together with other tools.

   Any ideas on how to improve detection success?

   Thanks

   • Edit

4. Support Staff 4 Posted by Tasos Laskos on 29 Nov, 2012 12:41 PM

   

   I'd be very surprised is this is caused by a detection failure, it's most likely a configuration error.
   Could you tell me the URL you're testing in order to reproduce this issue?
   (You can send it via e-mail if you prefer.)

   • Edit

5. 5 Posted by Harris on 29 Nov, 2012 12:54 PM

   

   Well this is an internal web application and I'm doing authenticated test (I'm logged inside the application) so its kind of difficult to give you any URLs.

   • Edit

6. Support Staff 6 Posted by Tasos Laskos on 29 Nov, 2012 12:56 PM

   

   Hm ok then, try using the --debug flag to see what's being injected where to make sure that the input you want gets audited.
   Better yet, upload that output here so I can have a look too.

   • Edit

7. Support Staff 7 Posted by Tasos Laskos on 01 Jun, 2013 10:07 PM

   

   Hey man, have you made any progress on this?

   • Edit

8. Support Staff 8 Posted by Tasos Laskos on 19 Jul, 2013 07:39 PM

   

   Closing this since I can't reproduce and I'm lacking the necessary feedback in order to troubleshoot.

   • Edit

9. Tasos Laskos closed this discussion on 19 Jul, 2013 07:39 PM.