SQLmap and Unique Value Randomization

Sometimes when trying to use SQLMap you're going to run into a website that needs a unique value assigned to one of the variables. This is an attempt to prevent enumeration but can be bypassed with a SQLMap flag: --randomize.

Like the CSRF token attempt, this is to make sure you're using the website. You can see the randomization needed here with the value of uid in the URI (below).

using the --randomize flag, we provide the value we want to randomize, in this case uid. Here's the syntax:

sqlmap 'http://94.237.49.11:34681/case9.php?id=1&uid=1635820687' --randomize=uid --dump

This is basically a copy of the full URL into SQLMap, so it's an easy copy and paste.