ZAP integration with SQLMap using the "application integration settings"
2,216 views
Skip to first unread message
Timothy McGuire
Jan 20, 2016, 4:46:49 PM1/20/16
to OWASP ZAP User Group
I'm following this guide:
It claims to allow SQLMap to be called seamlessly from within ZAP
The directions are to
- Go to Tools --> Options --> Applications
- Add a new Application
- fill out the application "wizard" with:
- command C:\users\hollabackatcha\sqlmap\sqlmap
- parameters --proxy http://127.0.0.1:8089 -u %url% --cookie "%cookie% --data "%postdata%" -f --batch --dbs
- check "capture output" and "Output to Note"
The output window shows that the correct values are filled in for %url% and others but my result is that it separates the parameters with commas and of course this is not understood by sqlmap. It works slightly better to stick the parameters in the command field, but it rewrites http:// to http:\ (!) and of course that is not found.
Is there a way to bypass or change this behavior? Has anyone ever used this feature of ZAP?
Thanks!
kingthorin+owaspzap
Jan 20, 2016, 6:05:37 PM1/20/16
to OWASP ZAP User Group
First what proxy is running in 8089? Second the example you're using is for POST requests, are you trying to inject a POST? Last what happens if you put it as command instead and don't prefix the proxy setting with scheme?
Timothy McGuire
Jan 20, 2016, 11:43:25 PM1/20/16
to OWASP ZAP User Group
thanks for your reply. 8089 is ZAP. I am trying to inject a POST request.
If I put it all in as a command, I just realized that the %url% and other variables are not populated, also, SQLMap needs a scheme. This is the error SQLMap gives if I leave out the scheme:
[22:36:10] [CRITICAL] proxy value must be in format '(http|https|socks4|socks5)://address:port'
Inside ZAP, the output tab simply prints the command. There is no feedback from SQLMap inside zap.
Tim
thc...@gmail.com
Jan 21, 2016, 5:41:46 AM1/21/16
to zaprox...@googlegroups.com
Does the expected command work outside ZAP?
(including seeing the requests proxied through ZAP)
Best regards.
> --
> You received this message because you are subscribed to the Google
> Groups "OWASP ZAP User Group" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to zaproxy-user...@googlegroups.com
> <mailto:zaproxy-user...@googlegroups.com>.
> For more options, visit https://groups.google.com/d/optout.
(including seeing the requests proxied through ZAP)
Best regards.
> You received this message because you are subscribed to the Google
> Groups "OWASP ZAP User Group" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to zaproxy-user...@googlegroups.com
> <mailto:zaproxy-user...@googlegroups.com>.
> For more options, visit https://groups.google.com/d/optout.
Reply all
Reply to author
Forward
0 new messages