Re: [sqlmap-users] Sqlmap missing a get param?
Brought to you by:
inquisb
Menu
▾
▴
Re: [sqlmap-users] Sqlmap missing a get param?
|
From: Miroslav S. <mir...@gm...> - 2011-02-05 08:33:15
|
as said, Steve is the man :) this was a really interesting article i must say. also, you've prove me that some web server applications really concatenate those parameters. for the time being, as said in the last message related to this topic, we'll leave everything as it is. kr On Fri, Feb 4, 2011 at 10:09 PM, Steve Pinkham <ste...@gm...> wrote: > On 02/04/2011 02:45 PM, Miroslav Stampar wrote: >> well, i am 99% sure that one parameter value is just overwritten by >> the other. in that case it doesn't matter if sqlmap handles parameters >> as dictionary. >> >> prove me wrong Pieter with some example :) >> >> i like people that prove me wrong (Steve was one of those with that >> newly found mssql server query delay payload) >> >> kr > > It's been called HTTP parameter pollution, and different server software > responds differently. When faced with multiple inputs, some take the > first, some take the last, and some auto-magically turn it into an array > or concatenate them with a comma. > > Sometimes the software will use the first parameter, but the WAF might > only sanitise the last, or vice versa. > > Here was the some of the first research into the phenomenon: > > http://www.owasp.org/images/b/ba/AppsecEU09_CarettoniDiPaola_v0.8.pdf > > > -- > | Steven Pinkham, Security Consultant | > | http://www.mavensecurity.com | > | GPG public key ID CD31CAFB | > > -- Miroslav Stampar E-mail: miroslav.stampar (at) gmail.com Alternate: miroslav.stampar (at) mail.ru PGP Key ID: 0xB5397B1B Location: Zagreb, Croatia |
