SQLmap with –cookie flag and –string too!!”


1) DVWA uses a PHP Session cookie to authenticate users. If the session cookie is not valid, a page redirection will send you to the login page. This prevents sqlmap from getting access to the injection location. This can be fixed by adding the –cookie “cookie data” option. How do you get your cookie data you may ask. My favorite way is to add a shortcut on your favorites menu with a link to “javascript: alert(document.cookie);”. Click on the link – sooner then you can say “C is for cookie” you have it.

2) sqlmap uses a comparison to determine if the entered SQLi phrase was successful or not. It is built to work on more secure pages (It isn’t used to something as DV as DVWA). So…to fix this, we can feed it a string that will only show up on success. What string would that be? I like to use “First name”. You can use whatever you want (so long as it only is on the page from a successful query). Use the –string option to do this.

3) I know, I know – I said there were only two things. By default DVWA should connect to the MySQL database as root. If you have changed this, then quit fixing things (Just kidding – way to think secure – this should be a lesson for any DBAs out there that happen to find this). sqlmap is able to do much more if it has access (via injection) to the database as a root user.

To get started try something like this:

./sqlmap.py -u “” –cookie “[enter cookie data here]” -p id –string “First name:” –passwords –dbs

captured from DVWA forum

to get a copy of DVWA : http://www.dvwa.co.uk/download.php