Re: [sqlmap-users] Sqlmap missing a get param?
Brought to you by:
inquisb
Menu
▾
▴
Re: [sqlmap-users] Sqlmap missing a get param?
|
From: Miroslav S. <mir...@gm...> - 2011-02-05 08:23:31
|
Hi again. I was giving it a thought and the final for now is no. This would break the concept of sqlmap a lot. We are identifying injection points by parameter names (also considering the place where it's located - e.g. GET/id). In case where we would "modify" sqlmap to accept these "cases" we would need not just replace dictionary with list, but to change the whole data model. This moment we have more priority stuff to do. Three things I would suggest so you could make a scan "compliant" to sqlmap is: 1) either use URI injection mark * to tell sqlmap where to look for injection (e.g. ./sqlmap.py -u "www.test.com/index.php?idA=1&idB=2&idA=3*&idC=1") or 2) concatenate/adjust the URI yourself manually - so, if you see that there are two idA parameters try to manually play around and see what web servers does with those - try to concatenate and/or delete first one or 3) be realistic. there are lots of "junk" URIs in the wild that can be "beautified" by yourself - e.g. ?search=some%XXshitty%XXquery%XXthere%XXis -> ?search=test kr On Fri, Feb 4, 2011 at 11:37 PM, Pieter de Boer <pi...@th...> wrote: > On 02/04/11 20:37, Miroslav Stampar wrote: > >> are you certain that one parameter value is not "overwritten" by the >> other at the servers side. in server side programming (PHP, ASP) i >> don't know how to handle such requests out of box. >> >> could you please post some examples just to experiment? >> > Unfortunately I don't have examples, but I've seen such cases 'in the wild'. > It can be used for selecting multiple items from a list, for example. It > really depends on how the application, language or framework handles the > parameters, as Steve mailed earlier. > > It may not be very useful to implement as it's rarely used for useful > purposes, but if it's not a problem to replace the dict with a list, I > suggest considering doing so. > > Regards, > Pieter > > > -- Miroslav Stampar E-mail: miroslav.stampar (at) gmail.com Alternate: miroslav.stampar (at) mail.ru PGP Key ID: 0xB5397B1B Location: Zagreb, Croatia |
