[sqlmap-users] Fwd: sqlmap error
Brought to you by:
inquisb
From: Bernardo D. A. G. <ber...@gm...> - 2009-06-24 21:58:17
|
---------- Forwarded message ---------- From: sql pirate <sql...@go...> Date: Wed, Jun 24, 2009 at 21:59 Subject: Re: [sqlmap-users] sqlmap error To: "Bernardo Damele A. G." <ber...@gm...> Hi Bernando, thanks for your help. Your tool works now for this vulnerability! Though I have some other restrictions from the application now which prevents me from extracting data :-( Cheers, Jan 2009/6/24 Bernardo Damele A. G. <ber...@gm...> > > Hi, > > On Mon, Jun 22, 2009 at 14:03, sql pirate<sql...@go...> wrote: > > ... > > ./sqlmap.py -u > > "http://www.example.com/system/listinstances.nav?FORMULARNAME=listinstances&FORMULARSEGMENT=0&FLD_maxElementsListInstances=5&FLD_listInstancesOrderBy=1" > > -p FLD_listInstancesOrderBy --string=rowHighSmall > > --proxy=http://127.0.0.1:8080/ > > --cookie="JSESSIONID=1RjDK1vK9NMkyJ7tWPWks9wTYyYz22h5pTQ2qTWVx6pQVhxC2nVg" > > --delay=1 --prefix="%2b(select%20case%20when%201=1" > > --postfix="then%201%20else%201/0%20end%20from%20dual)" --sql-query="select > > 'bla' from dual" > > ... > > forgedPayload = payload % (expressionUnescaped, idx, limit) > > ValueError: unsupported format character 'b' (0x62) at index 104 > > ... > > Use latest sqlmap from subversion repository. > Avoid uri encoding in --prefix and --postfix options' value. sqlmap > uri encode the HTTP request parameters properly automatically. > > Cheers, > -- > Bernardo Damele A. G. > > E-mail / Jabber: bernardo.damele (at) gmail.com > Mobiles: +447788962949 (UK), +393493821385 (IT) > PGP Key ID: 0x05F5A30F -- Bernardo Damele A. G. E-mail / Jabber: bernardo.damele (at) gmail.com Mobiles: +447788962949 (UK), +393493821385 (IT) PGP Key ID: 0x05F5A30F |