Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Arbitrary injection point on POST data is not working

See original GitHub issue

If you use injection point (* or %INJECT HERE%) in a POST Data request with JSON (e.g. { "name" : "value*" }) sqlmap is actually URL encoding the special characters (e.g. %7B%20%22name%22%20%3A%20%22value%22%20%7D) before sending to the server. I’ve noticed this problem because I’m intercepting all the sqlmap requests with a proxy. Without SQLipy extension sqlmap do not perform the URL encoding.

Issue Analytics

  • State:closed
  • Created 6 years ago
  • Comments:7 (2 by maintainers)

github_iconTop GitHub Comments

stamparmcommented, Jun 7, 2017

@riramar I’ve fixed this issue (not related to sqlmap’s #2568) here with latest commit (

codewatchorgcommented, Jun 5, 2017

Hmm, I will look into it. The sqlmap API server might be encoding the data and then passing it on to sqlmap that way. I don’t believe SQLiPy is encoding anything.

Read more comments on GitHub >

github_iconTop Results From Across the Web

Exploiting difficult SQL injection vulnerabilities using sqlmap
Sometimes of course the injection point is not within a parameter, in which case sqlmap has other options which can be used to...
Read more >
How to prevent injection when user is supplying an arbitrary ...
I have spent a lot of time while looking for a solution for this. Everyone talks about different methods for stopping the injection...
Read more >
5 ways to prevent code injection in JavaScript and Node.js
Learn some best practices for keeping your Node.js and JavaScript projects safe from code injection attacks.
Read more >
How to use sqlmap for injection in address of a web site page ...
Arbitrary injection points. URI injection point. Sometimes the injection point is inside the URI itself. For example, if we go ...
Read more >
CWE-94: Improper Control of Generation of Code ... - MITRE
Such an alteration could lead to arbitrary code execution. Injection problems encompass a wide variety of issues -- all mitigated in very different...
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Post

No results found

github_iconTop Related Hashnode Post

No results found