Re: [sqlmap-users] some bugs
Brought to you by:
inquisb
From: Bernardo D. A. G. <ber...@gm...> - 2009-08-10 09:44:28
|
Hi pUm, On Fri, Aug 7, 2009 at 09:19, pUm<hi...@go...> wrote: > ... > bugs: > 1. encoding %: > the percent is encoded - really strange. If you put in %25 it will > encode it to %% and stuff like that. we were not able to inject a % > only on one parameter. This is something I will have a closer look soon. > 2. postfix/prefix string: > the postfix string just disappears on some requests (post request) I can't reproduce this bug. Can you please double check and send me the exact -v 3 output? > 3. testing connection > on post injection the test connect to the url is done as a get > request, even if you provided --data, this is a bad thing, for us it > logged out the user after doing a get request on a post request ;) In my tests and from the source code it is clear that if you specify --data it always goes with the HTTP POST method. Also, I sniffed the traffic to double check it, and it goes POST from the very first HTTP request. > suggested enhancements: > - define the "random" char that gets injected on a true injection (so > that it does not becomes so much more random ;)) - I will write a > patch for this if I've got some time What's the benefit? > - using OR instead of AND, I know, you've got the request a way to > often, but I've actually got again a reason for this to raise up again > ;) > - running time and stacked queries without the AND injection. for > example, test all stacked query possiblities ... In the long run the SQL injection detection phase will be done by parsing a (huge) XML file where the user will be able to define less or more tests to do, the engine will be then completely rewritten to parse this XML file. > thanks for the nice tool. I really enjoy it Welcome! Cheers, -- Bernardo Damele A. G. E-mail / Jabber: bernardo.damele (at) gmail.com Mobile: +447788962949 (UK 07788962949) PGP Key ID: 0x05F5A30F |