While performing SQL injection tests, I encountered a situation where the target parameter wasn’t in the URL query string, but instead in the Cookie header. By default, SQLMap doesn’t recognize parameters in the Cookie header, so I needed to find a way to target it.
To target these specific parameters, simply replace the value with * - SQLMap will recognize this as the target location.
For example, here’s a case where the target parameter is in the Cookie header:
GET /target.php HTTP/1.1
Host: example.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/png,image/svg+xml,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: http://example.com/
Connection: keep-alive
Cookie: id=1 <-- target parameter
Upgrade-Insecure-Requests: 1
Priority: u=0, iTo target the id parameter, replace it with *:
# Either directly on the command line
sqlmap -u "http://example.com/target.php" --cookie="id=*"
# Or in a file
...
Connection: keep-alive
Cookie: id=* <-- target parameter
Upgrade-Insecure-Requests: 1
...