Re: [sqlmap-users] Addressing data inside the path
Brought to you by:
inquisb
From: Bernardo D. A. G. <ber...@gm...> - 2010-10-24 09:47:25
|
Get sqlmap from svn. Use asterisk to mark the injection point. Eg: www.site.tld/path/category_123*/getItem.do Bernardo Damele A. G. On 24/ott/2010, at 09:12, Thomas Schreiber <ts...@go...> wrote: > Hi, > > I have discovered an SQL-Injection where the app extracts the parameter for the SQL query from the URL like this: > > www.site.tld/path/category_123/getItem.do > > 123 is the parameter. Changing this to www.site.tld/path/category_'/getItem.do leads to an SQL syntax error. > > As far as I can see, sqlmap does not support adressing the data in the path itself. Any ideas? > > Thank you > Thomas > ------------------------------------------------------------------------------ > Nokia and AT&T present the 2010 Calling All Innovators-North America contest > Create new apps & games for the Nokia N8 for consumers in U.S. and Canada > $10 million total in prizes - $4M cash, 500 devices, nearly $6M in marketing > Develop with Nokia Qt SDK, Web Runtime, or Java and Publish to Ovi Store > http://p.sf.net/sfu/nokia-dev2dev > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users |