Sql Map - Custom Injection point

[jeromesheerin]

Hi There

During testing using the "" as the custom injection point for my JSON data, I noticed that my cookie had the "" included and it was valid the the active session. However it seems that sqlmap removes all occurrences of the "*" symbol from the POST request, and now my cookie is no longer valid.

To Reproduce
Example of the request. As you can see the cookie has the "*" more than one, and sql map removes it

PUT /rest/ui/workspace HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: /
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://localhost
X-Requested-With: XMLHttpRequest
Content-Type: application/json; charset=utf-8
Application: alarmsearch
Content-Length: 303
Connection: close
Cookie: Prore=S2~AQIC5wM2LY4Sfczs8Mx-dAGvcQEjDwLzoqjQlExHaZ-6QHEAAJTSQACMDIAAlNLABM1MDk3Mjk4NTk4MjY4OTQzODGHY0AAJTMQACMDM*

{"id":"workspace_1565073686024","value":"{"search":true,"nodesImported":80,"id":"workspace_1565073686024","groupName":"alarmsearch:administrator_importedNodes_1565073706867;alarmsearch:administrator_selectedNodes_1565073706867","date":1566309623332,"%workspaceName%":"ttttteeessstttt*"}"}

Command Run:
./sqlmap.py -r /home/rename-workspace --headers="User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:25.0) Gecko/20100101 Firefox/25.0" -vv --proxy http://localhost:8080

Variable to be replaced using injection point is
ttttteeessstttt*

Expected behavior
The cookie should remain intacted.

Screenshots
If applicable, add screenshots to help explain your problem.

Running environment:

• sqlmap version [{1.3.7.9#dev}

[687766616e]

̶%̶i̶n̶j̶e̶c̶t̶ ̶h̶e̶r̶e̶%̶

[687766616e]

̷h̷t̷t̷p̷s̷:̷/̷/̷g̷i̷t̷h̷u̷b̷.̷c̷o̷m̷/̷s̷q̷l̷m̷a̷p̷p̷r̷o̷j̷e̷c̷t̷/̷s̷q̷l̷m̷a̷p̷/̷w̷i̷k̷i̷/̷U̷s̷a̷g̷e̷#̷u̷r̷i̷-̷i̷n̷j̷e̷c̷t̷i̷o̷n̷-̷p̷o̷i̷n̷t̷
̷h̷t̷t̷p̷s̷:̷/̷/̷g̷i̷t̷h̷u̷b̷.̷c̷o̷m̷/̷s̷q̷l̷m̷a̷p̷p̷r̷o̷j̷e̷c̷t̷/̷s̷q̷l̷m̷a̷p̷/̷w̷i̷k̷i̷/̷U̷s̷a̷g̷e̷#̷a̷r̷b̷i̷t̷r̷a̷r̷y̷-̷i̷n̷j̷e̷c̷t̷i̷o̷n̷-̷p̷o̷i̷n̷t̷

[jeromesheerin]

Hi

I have tried that. Please see this output:
There is also a problem with this comment box as it wont allow me to use the astrix symbol when pasting code. Its removing it when I click "Update Comment". I had to type the word astrix below

./sqlmap.py -r rename --headers="User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:25.0) Gecko/20100101 Firefox/25.0" -vvv --proxy http://localhost:8080
___
H
___ ["]__ ___ ___ {1.3.8.15#dev}
|_ -| . [)] | .'| . |
|| ["]|||__,| |
||V... || http://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 16:28:45 /2019-08-20/

[16:28:45] [INFO] parsing HTTP request from 'rename-workspace'
[16:28:45] [DEBUG] not a valid WebScarab log data
[16:28:45] [DEBUG] cleaning up configuration parameters
[16:28:45] [DEBUG] setting the HTTP timeout
[16:28:45] [DEBUG] setting extra HTTP headers
[16:28:45] [DEBUG] setting the HTTP User-Agent header
[16:28:45] [DEBUG] setting the HTTP/SOCKS proxy for all HTTP requests
[16:28:45] [DEBUG] creating HTTP requests opener object
JSON data found in PUT data. Do you want to process it? [Y/n/q] y
[16:28:48] [INFO] testing connection to the target URL
[16:28:48] [TRAFFIC OUT] HTTP request [#1]:
PUT /rest/ui/settings/alarmsearch/workspace HTTP/1.1
Accept-language: en-US,en;q=0.5
Accept-encoding: gzip, deflate
Content-type: application/json; charset=utf-8
X-Requested-With: XMLHttpRequest
Accept: /
User-agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
Host: internal-server.company
Referer: https://localhost
Cookie: ssocookie=ssocookie-2; amlbcookie=03; iPlanetDirectoryPro=S2~AQIC5wM2LY4Sfczs8Mx-dAGvcQEjDwLzoqjQlExHaZ-*6QHE.AAJTSQACMDIAAlNLABM1MDk3Mjk4NTk4MjY4OTQzODY0AAJTMQACMDM
X-Tor-Application: alarmsearch
Content-length: 305
Connection: close

{"id":"workspace_1565073686024","value":"{"search":true,"nodesImported":80,"id":"workspace_1565073686024","groupName":"alarmsearch:administrator_importedNodes_1565073706867;alarmsearch:administrator_selectedNodes_1565073706867","date":1566309623332,"workspaceName":"%ttttteeessstttt%"}"}

The contents of the rename file was:

PUT /rest/ui/settings/alarmsearch/workspace HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: /
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://localhost
X-Requested-With: XMLHttpRequest
Content-Type: application/json; charset=utf-8
X-Tor-Application: alarmsearch
Content-Length: 303
Connection: close
Cookie: ssocookie=ssocookie-2; amlbcookie=03; iPlanetDirectoryPro=S2~AQIC5wM2LY4Sfczs8Mx-dAGvcQEjDwLzoqjQlExHaZ-6QHE*AAJTSQACMDIAAlNLABM1MDk3Mjk4NTk4MjY4OTQzODY0AAJTMQACMDM.ASTRIX

{"id":"workspace_1565073686024","value":"{"search":true,"nodesImported":80,"id":"workspace_1565073686024","groupName":"alarmsearch:administrator_importedNodes_1565073706867;alarmsearch:administrator_selectedNodes_1565073706867","date":1566309623332,"workspaceName":"%ttttteeessstttt%"}"}

[stamparm]

1. sqlmap will actually test both POST and cookie because of that same asterisk marker
2. To remove the confusion and "help" sqlmap, please do something like this:

$ cat req.txt 
POST / HTTP/1.1
Host: localhost
Cookie: id=1*

{"id": "1", "name": "foobar%inject here%"}

$ python sqlmap.py -r req.txt --batch -v 6 | grep -A 6 'Cookie: id'
Cookie: id=1*
Host: localhost
Content-type: application/json
Content-length: 29
Connection: close

{"id": "1", "name": "foobar"}
--
Cookie: id=1*; PHPSESSID=8417sg2tkdulaql29bg3hjkm22
Host: localhost
Content-type: application/json
Content-length: 29
Connection: close

{"id": "1", "name": "foobar"}
--
Cookie: id=1*; PHPSESSID=8417sg2tkdulaql29bg3hjkm22
Host: localhost
Content-type: application/json
Content-length: 27
Connection: close

{"id": "1", "name": "5925"}
--
Cookie: id=1*; PHPSESSID=8417sg2tkdulaql29bg3hjkm22
Host: localhost
Content-type: application/json
Content-length: 40
Connection: close

{"id": "1", "name": "foobar,(\"'))),)."}
--
Cookie: id=1*; PHPSESSID=8417sg2tkdulaql29bg3hjkm22
Host: localhost
Content-type: application/json
Content-length: 47
Connection: close

{"id": "1", "name": "foobar'eBmYkO<'\">iSlbBb"}
--
....

[jeromesheerin]

Hi

Thanks for the reply. I ended up using a proxy (Burp) to modify the request header to replace the broken cookie, with the valid cookie. There is an option to modify the request header, after sqlmap has modified it incorrectly. works like a charm. I do think sqlmap needs an improvement so that * does not automatically trigger an injection marker.