support of JSON objects in the HTTP parameters

[blshkv]

Hello,

I found that sqlmap missed an sql injection in the following structure of parameters:
https://xxx/api/get?cat_id=["string"]

I have specified a payload location manually using asterisk as below:
https://xxx/api/get?cat_id=["string*"]
and sqlmap managed to found and exploit the vulnerability.

The application is written on PHP, I'm not sure what's a framework behind it or how the the app parses this parameter.

Perhaps, you will know better. I suspect it has something to do with nested insertions?
Hope you can enhance the tool so it would parse such parameter and pick up the vulnerability automatically.

Thank you.

[stamparm]

Well, this doesn't look like a standard way that parameter values are enclosed. If I see this kind of behavior in future I'll gladly add the prefix/suffix boundary support (in higher levels). Till then closing this down

[blshkv]

I disagree that this is non-standard way. I have requested an additional info from developers but it looks like parse_str function is involved here. I have verified the issue with a commercial scanner and it was able to pick it up.

[stamparm]

Can you please find me the standard involved?

[stamparm]

Or a bulk of sample URLs on regular web sites that uses those?

[blshkv]

So developers came back with an explanation this is a JSON object and they parse it later using a usual parser:
JSON.parse('["string"]');
See the following document for more details: https://developer.mozilla.org/en/docs/Web/JavaScript/Reference/Global_Objects/JSON/parse

I double checked the original request and it was a JSON GET request indeed with the following header:
Accept: application/json, text/javascript, */*; q=0.01

I agree that this might not be a common way of using it so I would suggest to include that case to a high level of tests (5?..).

[stamparm]

In regular web applications, JSON is used in POST data (containing all parameter names and values as serialized dictionary). I am not arguing that you have a JSON in your case (though as an array in GET parameter value). I just wanted you to send me some real-life examples (and not a link to what is JSON).

[blshkv]

The app is using standard jquery and bootstrap js libraries. Json query is getting created using similar code:

return $.ajax({
        url: top.serverLocations + 'api/' + id + '/' + top.catId(),
        type: 'get',
        async: true,
        dataType: 'json'
});

It returns a standard JSON reply too. This API call (see the url) is used by a mobile client in my case (real life example).

I'm also telling you that a commercial scanner supports it just fine.
I'm ok if you don't want to improve sqlmap.

[stamparm]

1. I'm ok if you don't want to improve sqlmap. <- LOL
2. Your provided code does not produce JSON dumped array in GET parameter
3. I won't reply any more to this Issue. You have a custom injection marker and you are pushing me to include some support for shitty developer code including the JSON dumped array into the GET parameter. Also, you have a nerve to write the 1)