Getting 403 error on Sqlmap but 200 on Burp Suite with same request header

[pak0s]

I pasted full POST header from Burp to text file and then use -r file.txt parameter for exploitation. But, Sqlmap is throwing 403 error even at the 1st request which doesn't even contain any payload. I dumped the traffic file and I pasted exactly same request header into Burp and it was showing 200 but same header shows 403 on Sqlmap. I assume there is some kind of firewall but how is it detecting Sqlmap specifically? Like the header and data is exactly same but 403 on Sqlmap and 200 on Burp?

[687766616e]

+1

[stamparm]

Can you please provide me the request file? I don't have anything to work with now

[pak0s]

Can you please provide me the request file? I don't have anything to work with now

From the traffic file

HTTP request [#1]:
POST /login.aspx HTTP/1.1
Accept-language: en-US,en;q=0.5
Accept-encoding: gzip, deflate
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
User-agent: xxx
Host: xxx
Referer: xxx/login.aspx
Cookie: ASP.NET_SessionId=xxx
Upgrade-Insecure-Requests: 1
Content-type: application/x-www-form-urlencoded
Content-length: xxx
Connection: close

__VIEWSTATE=xxx&__VIEWSTATEGENERATOR=xxx&__EVENTVALIDATION=xxx&username=user&password=pass&submit=Login

HTTP response [#1] (403 Forbidden):
Content-length: xxx
Uri: xxx/login.aspx
Server: Microsoft-IIS/7.5
Connection: close
X-ua-compatible: IE=9
Date: Tue, 08 Jan 2019 xx:xx:xx GMT
Content-type: text/html

I pasted exactly same HTTP request from traffic file into Burp and it showed 200 response

[stamparm]

Can't reproduce anything fishy with this. Just tried the same request (from your pasted excerpt) with the latest revision and everything looks ok

[stamparm]

You have everything at your side. You can even use Burp in between (with sqlmap's --proxy). Why don't you do your own research?

[pak0s]

You have everything at your side. You can even use Burp in between (with sqlmap's --proxy). Why don't you do your own research?

Yeah just thought of that after posting this issue. Will evaluate Sqlmap with Burp and post results here soon.

[pak0s]

I just triggered Sqlmap with Burp and realized Sqlmap wasn't sending the data over https since the file containing header doesn't contain any such information. Using --force-ssl fixed the issue. You can add an option to prompt user to use either https or http while exploiting with -r file.txt parameter. Also Sqlmap randomly rearranges the format of the header. For example if Host was in 2nd line of file.txt, Sqlmap will shift it to 6th line but I don't think this would cause any issue.

[stamparm]

1. You can add an option to prompt user to use either https or http while exploiting with -r file.txt parameter <- standard way is to use Host: <host>:443
2. Sqlmap randomly rearranges the format of the header <- this should not cause problems. Though, this is being done by Python (uses regular unordered dictionary for headers internally)