Re: [sqlmap-users] Sqlmap missing a get param?
Brought to you by:
inquisb
Menu
▾
▴
Re: [sqlmap-users] Sqlmap missing a get param?
|
From: Steve P. <ste...@gm...> - 2011-02-04 21:09:33
|
On 02/04/2011 02:45 PM, Miroslav Stampar wrote: > well, i am 99% sure that one parameter value is just overwritten by > the other. in that case it doesn't matter if sqlmap handles parameters > as dictionary. > > prove me wrong Pieter with some example :) > > i like people that prove me wrong (Steve was one of those with that > newly found mssql server query delay payload) > > kr It's been called HTTP parameter pollution, and different server software responds differently. When faced with multiple inputs, some take the first, some take the last, and some auto-magically turn it into an array or concatenate them with a comma. Sometimes the software will use the first parameter, but the WAF might only sanitise the last, or vice versa. Here was the some of the first research into the phenomenon: http://www.owasp.org/images/b/ba/AppsecEU09_CarettoniDiPaola_v0.8.pdf -- | Steven Pinkham, Security Consultant | | http://www.mavensecurity.com | | GPG public key ID CD31CAFB | |
