Specify parameters with SQLMAP

DriverBoy picture DriverBoy · Mar 27, 2013 · Viewed 61.4k times · Source

I'm a student learning php & mysql development. i have setup a private lab ( VM ) inside my computer to test & learn how sql injection works. When things get harder i use sqlmap to exploit and later on study the requests it made to my test app using verbose mode & by capturing packets via wireshark. I came across a small problem and that's to specify the parameter in a URL to sqlmap to test.

http://localhost/vuln/test.php?feature=music&song=1

i want sqlmap to scan the parameter song so i tried these solutions

-u http://localhost/vuln/test.php?feature=music&song=1 --skip feature
-u http://localhost/vuln/test.php? --data="feature=music&song=1" -p song

Tried different variations by adding and removing quotes and equal signs , non worked. I even tried setting the --risk to --level to its maximum but it still fails to pick up the last parameter.

I will be very thankful if an expert can help me out with this. Thank you.

Answer

Muhammad Fahim Mandvia picture Muhammad Fahim Mandvia · Apr 28, 2013

the p option can be used in the following way

-u "http://localhost/vuln/test.php?feature=music&song=1" -p song