Change Parameter Delimiter

Changes parameter delimiter for SQL injection testing.

Terminal

python sqlmap.py -u "{http://www.example.com/vuln.php}" --data="<query=foobar;id=1>" --param-del="<;>"

python sqlmap.py -u "`{http://www.example.com/vuln.php`}" --data="<query=foobar;id=1>" --param-del="<;>"

#!/bin/bash

# Change Parameter Delimiter
python sqlmap.py {{[-u|--url]}} "{{http://www.example.com/vuln.php}}" --data="{{query=foobar;id=1}}" --param-del="{{;}}"

import subprocess

# Change Parameter Delimiter
# Make sure to replace <placeholders> with actual values
def run_command():
    cmd = [
        "python",
        "sqlmap.py",
        "-u",
        "\"{http://www.example.com/vuln.php}\"",
        "--data=\"<query=foobar;id=1>\"",
        "--param-del=\"<;>\""
    ]
    
    try:
        print(f"Executing: {' '.join(cmd)}")
        subprocess.run(cmd, check=True)
    except subprocess.CalledProcessError as e:
        print(f"Error: {e}")
    except FileNotFoundError:
        print("Error: python not found. Please install it first.")

if __name__ == "__main__":
    run_command()

When To Use

When a web application uses non-standard delimiters in query strings.

Pro Tip

Test different delimiters if initial attempts fail; use --data for clarity in payload structure.

Anatomy of Output

Understanding the result

[04:00:15] [INFO] using a custom parameter delimiter: ';' Delimiter Info

Indicates that a non-standard delimiter is being used.

[04:00:16] [EXECUTION] payload: 'foobar; id=1' Final Payload Execution

Shows the resolved payload sent to the server.

[04:00:17] [SUCCESS] injection confirmed: 'foobar' Injection Confirmation

Indicates successful injection using the custom delimiter.

Power User Variants

Optimized versions

python sqlmap.py -u 'http://www.example.com/vuln.php' --data='query=foobar;id=1' --param-del='&'

Switch to a standard ampersand delimiter.

python sqlmap.py -u 'http://www.example.com/vuln.php' --data='query=foobar;id=1' --param-del=':'

Test with a colon as the delimiter.

Troubleshooting

Common pitfalls

sqlmap -u '...' --data '...' --param-del ';' - ERROR: Unsupported delimiter

Solution: Ensure the delimiter is correctly defined and appropriate for the application.

sqlmap -u '...' --data='...' - ERROR: Malformed SQL syntax

Solution: Double-check the data format and query structure; ensure valid payload.

sqlmap -u '...' --data='...' - ERROR: 400 Bad Request

Solution: Review the request structure; it may be invalid for the application.

Command Breakdown

What each part is doing

python: Base Command; The executable that performs this operation. Here it runs Python before the shell applies any redirect operators.
-u: u| url; The URL supplied to this command.
{http://www.example.com/vuln.php}: http: www.example.com vuln.php; The value supplied for http: www.example.com vuln.php.
<query=foobar;id=1>: query=foobar;id=1; The value supplied for query=foobar;id=1.
<;>: ;; The value supplied for ;.
-u: Command Option; Tool-specific option used by this command invocation.
--data="<query=foobar;id=1>": Command Option; Tool-specific option used by this command invocation.
--param-del="<;>": Command Option; Tool-specific option used by this command invocation.

Alternative Approaches

Comparable commands in other tools

Alternative security tools for the same job.

Nettacker / Run Ping Test And Multiple Scans On Target nettacker --ping-before-scan -m <port_scan,subdomain_scan,waf_scan,...> -g <80,443> -i <owasp.org> Gpg / Display Help In Gpg Tui <?> Freshclam / Update Virus Definitions Clamav freshclam Secret Tool / Retrieve Password secret-tool lookup key <key> John / Show Passwords Cracked john --show <path/to/hashes.txt>