Re: [sqlmap-users] injectable parameter name can't be addressed
Brought to you by:
inquisb
Menu
▾
▴
Re: [sqlmap-users] injectable parameter name can't be addressed
|
From: Bernardo D. A. G. <ber...@gm...> - 2011-07-21 09:37:40
|
Hi, Please, try to append an asterisk, *, to the parameter value you want to inject to. However, url-encoding the equal character in the parameter value should not cause a problem. As it seems that it does, we will track down the bug and fix accordingly. Thanks for reporting. Bernardo On 21 July 2011 10:30, Stiefenhofer, Marek <M.S...@r-...> wrote: > Hi all, > > we've found one rather common webapp that has SQLi "by design". > Example URL: http://hostname/query?param1=value1&where=[FILTER] > > My problem is that sqlmap doesn't identify the "where" as parameter as > long as it's value contains an equal-char, e.g. > "where=column%3D[Integer]". But "where=column is not null" is working. > I guess the reason is how sqlmap parses the URL and builds value/param > pairs. > > Is there some sort of workaround for this issue? > > -marek -- Bernardo Damele A. G. E-mail / Jabber: bernardo.damele (at) gmail.com Mobile: +447788962949 (UK 07788962949) PGP Key ID: Unavailable |
