[sqlmap-users] some bugs
Brought to you by:
inquisb
From: pUm <hi...@go...> - 2009-08-07 08:20:06
|
Hi all, we come across a few bugs in sqlmap during one of our tests. bugs: 1. encoding %: the percent is encoded - really strange. If you put in %25 it will encode it to %% and stuff like that. we were not able to inject a % only on one parameter. 2. postfix/prefix string: the postfix string just disappears on some requests (post request) 3. testing connection on post injection the test connect to the url is done as a get request, even if you provided --data, this is a bad thing, for us it logged out the user after doing a get request on a post request ;) suggested enhancements: - define the "random" char that gets injected on a true injection (so that it does not becomes so much more random ;)) - I will write a patch for this if I've got some time - using OR instead of AND, I know, you've got the request a way to often, but I've actually got again a reason for this to raise up again ;) - running time and stacked queries without the AND injection. for example, test all stacked query possiblities ... thanks for the nice tool. I really enjoy it cheers sven P.S.: using the latest svn version |