[sqlmap-users] injectable parameter name can't be addressed
Brought to you by:
inquisb
Menu
▾
▴
[sqlmap-users] injectable parameter name can't be addressed
|
From: Stiefenhofer, M. <M.S...@r-...> - 2011-07-21 09:30:59
|
Hi all, we've found one rather common webapp that has SQLi "by design". Example URL: http://hostname/query?param1=value1&where=[FILTER] My problem is that sqlmap doesn't identify the "where" as parameter as long as it's value contains an equal-char, e.g. "where=column%3D[Integer]". But "where=column is not null" is working. I guess the reason is how sqlmap parses the URL and builds value/param pairs. Is there some sort of workaround for this issue? -marek |
