Re: [sqlmap-users] Sqlmap missing a get param?
Brought to you by:
inquisb
Menu
▾
▴
Re: [sqlmap-users] Sqlmap missing a get param?
|
From: Chris O. <chr...@gm...> - 2011-02-05 10:21:53
|
Hi all Thanks for the input, really fast as always :) Very interesting reading on multitple instances of the same parameter; not that I've really seen it "in the wild" but I had assumed that the server would just take the last value of it and overwrite the old - obviously that's not always the case! Chris On 5 February 2011 08:33, Miroslav Stampar <mir...@gm...>wrote: > as said, Steve is the man :) > > this was a really interesting article i must say. also, you've prove > me that some web server applications really concatenate those > parameters. > > for the time being, as said in the last message related to this topic, > we'll leave everything as it is. > > kr > > On Fri, Feb 4, 2011 at 10:09 PM, Steve Pinkham <ste...@gm...> > wrote: > > On 02/04/2011 02:45 PM, Miroslav Stampar wrote: > >> well, i am 99% sure that one parameter value is just overwritten by > >> the other. in that case it doesn't matter if sqlmap handles parameters > >> as dictionary. > >> > >> prove me wrong Pieter with some example :) > >> > >> i like people that prove me wrong (Steve was one of those with that > >> newly found mssql server query delay payload) > >> > >> kr > > > > It's been called HTTP parameter pollution, and different server software > > responds differently. When faced with multiple inputs, some take the > > first, some take the last, and some auto-magically turn it into an array > > or concatenate them with a comma. > > > > Sometimes the software will use the first parameter, but the WAF might > > only sanitise the last, or vice versa. > > > > Here was the some of the first research into the phenomenon: > > > > http://www.owasp.org/images/b/ba/AppsecEU09_CarettoniDiPaola_v0.8.pdf > > > > > > -- > > | Steven Pinkham, Security Consultant | > > | http://www.mavensecurity.com | > > | GPG public key ID CD31CAFB | > > > > > > > > -- > Miroslav Stampar > > E-mail: miroslav.stampar (at) gmail.com > Alternate: miroslav.stampar (at) mail.ru > PGP Key ID: 0xB5397B1B > Location: Zagreb, Croatia > > > ------------------------------------------------------------------------------ > The modern datacenter depends on network connectivity to access resources > and provide services. The best practices for maximizing a physical server's > connectivity to a physical network are well understood - see how these > rules translate into the virtual world? > http://p.sf.net/sfu/oracle-sfdevnlfb > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > |
