Re: [sqlmap-users] Sqlmap missing a get param?
Brought to you by:
inquisb
Menu
▾
▴
Re: [sqlmap-users] Sqlmap missing a get param?
|
From: Miroslav S. <mir...@gm...> - 2011-02-04 17:46:11
|
Hi Chris. well, it starts with sort, and goes to the end, but the manufacture_id is indeed being tested: ... [18:42:57] [INFO] confirming that GET parameter 'manufacturer_id' is dynamic [18:42:57] [INFO] GET parameter 'manufacturer_id' is dynamic ... problematic part is that we use python dictionary to store parameters, potentially screwing their order of appearance. we can check out what can be done. in the mean time you can force checking of manufacturer_id by issuing: -p manufacturer_id kr On Fri, Feb 4, 2011 at 5:27 PM, Chris Oakley <chr...@gm...> wrote: > Hi all > > I've just issued the following command using the latest revision of sqlmap > .9: > > C:\Program Files\sqlmap-0.9>python sqlmap.py -u "http://x.x.x.x/index.php?r > oute=product/manufacturer&manufacturer_id=1&sort=pd.name&order=DESC&page=18&scri > pt1296664523519=12345" --text-only --proxy "http://127.0.0.1:8085" --level=5 > --r > isk=3 --flush-session > > Partial output from this command is as follows: > > [16:22:21] [INFO] flushing session file > [16:22:21] [INFO] testing connection to the target url > [16:22:21] [INFO] testing if the url is stable, wait a few seconds > [16:22:23] [INFO] url is stable > [16:22:23] [INFO] testing if GET parameter 'sort' is dynamic > [16:22:24] [WARNING] GET parameter 'sort' is not dynamic > [16:22:24] [WARNING] heuristic test shows that GET parameter 'sort' might > not be > injectable > [16:22:24] [INFO] testing sql injection on GET parameter 'sort' > > The parameter I'm specifically looking at as potentially injectable is > "manufacturer_id" but sqlmap starts at 'sort' and then moves through to the > end of the param list, then ends, totally bypassing the first parameter. > > For testing purposes if you install a clean version of the latest open cart, > you should be able to replicate this. > > Regards > > Chris > > > > > ------------------------------------------------------------------------------ > The modern datacenter depends on network connectivity to access resources > and provide services. The best practices for maximizing a physical server's > connectivity to a physical network are well understood - see how these > rules translate into the virtual world? > http://p.sf.net/sfu/oracle-sfdevnlfb > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > > -- Miroslav Stampar E-mail: miroslav.stampar (at) gmail.com Alternate: miroslav.stampar (at) mail.ru PGP Key ID: 0xB5397B1B Location: Zagreb, Croatia |
