Re: [sqlmap-users] Sqlmap missing a get param?
Brought to you by:
inquisb
Menu
▾
▴
Re: [sqlmap-users] Sqlmap missing a get param?
|
From: Miroslav S. <mir...@gm...> - 2011-02-04 18:07:00
|
Hi again. Please update to the latest revision to have this "updated". >From now (r3225) we are storing dictionary keys in the order of appearance (OrderedDict principle). That means that if you have URL like ?rss=1&back=2&out=3&index=0 their testing order will be the same as their order of appearance (rss, back, out and index at the end). kr On Fri, Feb 4, 2011 at 6:45 PM, Miroslav Stampar <mir...@gm...> wrote: > Hi Chris. > > well, it starts with sort, and goes to the end, but the manufacture_id > is indeed being tested: > > ... > [18:42:57] [INFO] confirming that GET parameter 'manufacturer_id' is dynamic > [18:42:57] [INFO] GET parameter 'manufacturer_id' is dynamic > ... > > problematic part is that we use python dictionary to store parameters, > potentially screwing their order of appearance. we can check out what > can be done. > > in the mean time you can force checking of manufacturer_id by issuing: > -p manufacturer_id > > kr > > On Fri, Feb 4, 2011 at 5:27 PM, Chris Oakley > <chr...@gm...> wrote: >> Hi all >> >> I've just issued the following command using the latest revision of sqlmap >> .9: >> >> C:\Program Files\sqlmap-0.9>python sqlmap.py -u "http://x.x.x.x/index.php?r >> oute=product/manufacturer&manufacturer_id=1&sort=pd.name&order=DESC&page=18&scri >> pt1296664523519=12345" --text-only --proxy "http://127.0.0.1:8085" --level=5 >> --r >> isk=3 --flush-session >> >> Partial output from this command is as follows: >> >> [16:22:21] [INFO] flushing session file >> [16:22:21] [INFO] testing connection to the target url >> [16:22:21] [INFO] testing if the url is stable, wait a few seconds >> [16:22:23] [INFO] url is stable >> [16:22:23] [INFO] testing if GET parameter 'sort' is dynamic >> [16:22:24] [WARNING] GET parameter 'sort' is not dynamic >> [16:22:24] [WARNING] heuristic test shows that GET parameter 'sort' might >> not be >> injectable >> [16:22:24] [INFO] testing sql injection on GET parameter 'sort' >> >> The parameter I'm specifically looking at as potentially injectable is >> "manufacturer_id" but sqlmap starts at 'sort' and then moves through to the >> end of the param list, then ends, totally bypassing the first parameter. >> >> For testing purposes if you install a clean version of the latest open cart, >> you should be able to replicate this. >> >> Regards >> >> Chris >> >> >> >> >> ------------------------------------------------------------------------------ >> The modern datacenter depends on network connectivity to access resources >> and provide services. The best practices for maximizing a physical server's >> connectivity to a physical network are well understood - see how these >> rules translate into the virtual world? >> http://p.sf.net/sfu/oracle-sfdevnlfb >> _______________________________________________ >> sqlmap-users mailing list >> sql...@li... >> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >> >> > > > > -- > Miroslav Stampar > > E-mail: miroslav.stampar (at) gmail.com > Alternate: miroslav.stampar (at) mail.ru > PGP Key ID: 0xB5397B1B > Location: Zagreb, Croatia > -- Miroslav Stampar E-mail: miroslav.stampar (at) gmail.com Alternate: miroslav.stampar (at) mail.ru PGP Key ID: 0xB5397B1B Location: Zagreb, Croatia |
