Re: [sqlmap-users] injectable parameter name can't be addressed
Brought to you by:
inquisb
Menu
▾
▴
Re: [sqlmap-users] injectable parameter name can't be addressed
|
From: Bernardo D. A. G. <ber...@gm...> - 2011-07-21 10:40:48
|
Marek, This should be dealt now, please svn update and retry. Bernardo On 21 July 2011 10:37, Bernardo Damele A. G. <ber...@gm...> wrote: > Hi, > > Please, try to append an asterisk, *, to the parameter value you want > to inject to. > However, url-encoding the equal character in the parameter value > should not cause a problem. As it seems that it does, we will track > down the bug and fix accordingly. Thanks for reporting. > > Bernardo > > > On 21 July 2011 10:30, Stiefenhofer, Marek <M.S...@r-...> wrote: >> Hi all, >> >> we've found one rather common webapp that has SQLi "by design". >> Example URL: http://hostname/query?param1=value1&where=[FILTER] >> >> My problem is that sqlmap doesn't identify the "where" as parameter as >> long as it's value contains an equal-char, e.g. >> "where=column%3D[Integer]". But "where=column is not null" is working. >> I guess the reason is how sqlmap parses the URL and builds value/param >> pairs. >> >> Is there some sort of workaround for this issue? >> >> -marek > > > -- > Bernardo Damele A. G. > > E-mail / Jabber: bernardo.damele (at) gmail.com > Mobile: +447788962949 (UK 07788962949) > PGP Key ID: Unavailable > -- Bernardo Damele A. G. E-mail / Jabber: bernardo.damele (at) gmail.com Mobile: +447788962949 (UK 07788962949) PGP Key ID: Unavailable |
