Sqlmap post data

Jorj picture Jorj · May 13, 2016 · Viewed 16.6k times · Source

I was trying to run sqlmap with method POST but I got this error:

[CRITICAL] no parameter(s) found for testing in the provided data (e.g. GET parameter 'id' in 'www.site.com/index.php?id=1')

Now, I know that for POST method I must run sqlmap with data flag (e.g --data="name=value")
but my form input data has no name and data is send as a string.

How can I use sqlmap in this situation?

Answer

Mukarram Khalid picture Mukarram Khalid · May 13, 2016

You can use asterisks * to specify your injection point. Try this:

python sqlmap.py -u "http://www.example.com/index.php?id=1" --data="POST_STRING_HERE*" --dbs

Note the * in the data string. SQL map will ask if you want to process the wild cards, enter Y there. It will ignore all the parameters and inject the payloads in place of *.

From the docs:

Append an asterisk, *, to the place where sqlmap should check for injections in URI itself. For example, ./sqlmap.py -u "http://target.tld/id1/1*/id2/2", sqlmap will inject its payloads at that place marked with * character. This feature also applies to POST data. Multiple injection points are supported and will be assessed sequentially.