Re: [sqlmap-users] HTTP Parameter Pollution (was Re: Sqlmap missing a get param?)
Brought to you by:
inquisb
Menu
▾
▴
Re: [sqlmap-users] HTTP Parameter Pollution (was Re: Sqlmap missing a get param?)
|
From: Miroslav S. <mir...@gm...> - 2011-02-05 16:57:46
|
hi Steve. we have been contacted by an author of wavsep, as he wasn't been able to run sqlmap against it. he'll rerun the test when 0.9 stable will go out. well, I won't tell you the results (of our own run), to not curse them :). you'll see them in time. kr On Sat, Feb 5, 2011 at 5:51 PM, Steve Pinkham <ste...@gm...> wrote: > On 02/05/2011 03:23 AM, Miroslav Stampar wrote: >> Hi again. >> >> I was giving it a thought and the final for now is no. This would >> break the concept of sqlmap a lot. >> >> We are identifying injection points by parameter names (also >> considering the place where it's located - e.g. GET/id). >> >> In case where we would "modify" sqlmap to accept these "cases" we >> would need not just replace dictionary with list, but to change the >> whole data model. This moment we have more priority stuff to do. > > I would agree. The only thing I've really found HTTP Parameter > Pollution useful for so far is XSS filtering workarounds, both for the > IE 8 client side filter and WAF type tech. I can't think of too many > places where it would be directly useful for SQL injection. Definitely > a corner case for that application probably is best handled by a human > brain. > > The problem with web security in general is the amount of corner cases > is huge, and most tools don't even do a good job of hitting the easy > cases yet. Sqlmap is definitely ahead of the curve for SQL injection tools. > > Speaking of which, have you given sqlmap a try on WAVSEP yet? I've used > it a bit for XSS tool vetting and development the past few weeks(and am > adding some more test cases), but haven't looked at if for SQL injection > yet. > > http://code.google.com/p/wavsep/ > >> Three things I would suggest so you could make a scan "compliant" to sqlmap is: >> 1) either use URI injection mark * to tell sqlmap where to look for >> injection (e.g. ./sqlmap.py -u >> "www.test.com/index.php?idA=1&idB=2&idA=3*&idC=1") >> or >> 2) concatenate/adjust the URI yourself manually - so, if you see that >> there are two idA parameters try to manually play around and see what >> web servers does with those - try to concatenate and/or delete first >> one >> or >> 3) be realistic. there are lots of "junk" URIs in the wild that can be >> "beautified" by yourself - e.g. >> ?search=some%XXshitty%XXquery%XXthere%XXis -> ?search=test >> >> kr > > > > -- > | Steven Pinkham, Security Consultant | > | http://www.mavensecurity.com | > | GPG public key ID CD31CAFB | > > -- Miroslav Stampar E-mail: miroslav.stampar (at) gmail.com Alternate: miroslav.stampar (at) mail.ru PGP Key ID: 0xB5397B1B Location: Zagreb, Croatia |
