How to configure SQLMap to attack JSON parameter?



  • Part of a box I'm doing, I can successfully pass basic SQL query 'or'1'='1 with no errors,

    {"search":"'or'1'='1"}
    

    Output:

    HTTP/1.0 200 OK
    

    Trying to error the query

    {"search":"'"}
    

    Output: (successful)

    HTTP/1.0 500 INTERNAL SERVER ERROR
    

    Using SQLMap with --risk=3 --level=5 won't do as the server immediately blocks a large amount of request in a small amount of time.



  • Any luck with --delay?

        --delay=DELAY       Delay in seconds between each HTTP request
    

    Note that something else might also cause 500 error code.



Suggested Topics

  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2