Skip to content

sqlmap automatically inserts double quotes if custom injection marker is followed by other characters #5147

New issue
New issue
Closed
Closed
sqlmap automatically inserts double quotes if custom injection marker is followed by other characters#5147
Assignees
stamparm
Labels
bugbug report
Milestone
1.7
@thanosgn

Description

@thanosgn
thanosgn
opened on Jul 21, 2022

Describe the bug
When using a custom request file, sqlmap automatically adds double quotes (") around certain payloads if a custom injection marker (*) is inside double quotes and other characters are following it, regardless of any tampers.

Specifically, the request body that I use consists of a JSON object with one key. The value is the custom injection marker (*) followed by any character (alphanumerical, space, special, etc.). sqlmap surrounds certain payloads with double quotes. In case a tamper script is used (e.g. escapequotes.py) it is applied on the payload, the extra double quotes are added outside the payload.

To Reproduce

  1. Create a custom request file and set the contents to this:
POST / HTTP/2
Host: https://google.com
Content-Type: application/json

{
    "key": "*a"
}
  1. Run python sqlmap.py -r request.txt -v 4 (replacing request.txt with whatever you named your file
  2. Read the outgoing HTTP requests. Some requests will have an extra set of double quotes around their payloads

Expected behavior
An example of expected execution would be the following:

python sqlmap.py -r request.txt --batch -v4 | grep key 
    "key": "a"
...
    "key": ".(.,\".,..'a"

While I get the following:

python sqlmap.py -r request.txt --batch -v4 | grep key 
    "key": "a"
...
    "key": "".(.,\".,..'"a"

Notice the surrounding " "

Indeed the captured HTTP POST request has en extra pair of double quotes as can be seen below

POST / HTTP/2
Host: google.com
Accept-Encoding: gzip, deflate
Content-Length: 31
Content-Type: application/json
Referer: https://google.com:443/
Connection: close

{
    "key": "".(.,\".,..'"a"
}

Notice that if the character a (or any other) is removed from request.txt sqlmap does not add the extra double quotes.

E.g. a request file like this works as expected

POST / HTTP/2
Host: https://google.com
Content-Type: application/json

{
    "key": "*"
}

Running environment:

  • sqlmap version 1.6.7.1#dev and 1.6.7#stable
  • Installation method git and homebrew
  • Operating system: MacOS
  • Python version 3.8.9

Target details:
Target details are not relevant to this bug and therefore will not be provided.

Metadata

Metadata

Assignees

Labels

bugbug report

Type

No type

Projects

No projects

Milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions