Re: [sqlmap-users] User friendly url
Brought to you by:
inquisb
Menu
▾
▴
Re: [sqlmap-users] User friendly url
|
From: Christoph A. <ca...@gm...> - 2010-09-15 20:13:08
|
On 09/15/2010 05:30 PM, Carlos Gabriel Vergara wrote: > Hi! > (Please, excuse my english) > > I've got a question about GET parameters; i looked into the mail > achive and didn't find anything about telling sqlmap wich "parameter" > to use when the site uses friendly urls. > > In my test enviroment i have this url: > > http://127.0.0.1/lookin-for-dog/1455/ > > The injectable part is "1455", wich looks like a path name. In fact, > the parameter is "looking-for-dog", and the value is "1455". Testing > with: > > http://127.0.0.1/lookin-for-dog/1455%20or%201%3d1/ > (meaning http://127.0.0.1/lookin-for-dog/1455 or 1=1/) > > ...seems to work. When injecting something like "1455%27", a MySQL > error appears. So i think the url it's injectable. The problem is that > i can't pass this kind of parameter to sqlmap, or better say, i don't > know how to pass it. > > Is there a workaround for this? You might want to have a look at this thread: http://sourceforge.net/mailarchive/message.php?msg_name=4C3F94D3.5030408%40gmail.com |
