Re: [sqlmap-users] injection into cookies
Brought to you by:
inquisb
Menu
▾
▴
Re: [sqlmap-users] injection into cookies
|
From: Robin W. <ro...@di...> - 2011-08-02 17:54:25
|
On 2 August 2011 18:30, Miroslav Stampar <mir...@gm...> wrote: > hi Robin > > you'll need to give a valid Cookie with > --cookie="....&ASP.NET_SessionId=1FA...&..." and use -p > "ASP.NET_SessionId" > > thing is that when level < 4 we ignore session-like parameters in > default cases. so, either you can use explicit -p "ASP.NET_SessionId" > or you can use --level=4. in your case i would suggest usage of -p. > > kr Thanks, I'll give that a try. Robin > On Tue, Aug 2, 2011 at 2:41 PM, Robin Wood <ro...@di...> wrote: >> Hi >> I've got an application that is vulnerable to SQLi in one of two >> cookie parameters. The one that is injectable is the ASP.NET_SessionId >> which has to start with a valid session id but then if given an extra >> ' on the end it fails and dumps out a nice SQL error. >> >> So what I need to do is to tell sqlmap to inject onto the end of the >> one cookie but leave the other intact. Is this possible? >> >> Robin >> >> ------------------------------------------------------------------------------ >> BlackBerry® DevCon Americas, Oct. 18-20, San Francisco, CA >> The must-attend event for mobile developers. Connect with experts. >> Get tools for creating Super Apps. See the latest technologies. >> Sessions, hands-on labs, demos & much more. Register early & save! >> http://p.sf.net/sfu/rim-blackberry-1 >> _______________________________________________ >> sqlmap-users mailing list >> sql...@li... >> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >> > > > > -- > Miroslav Stampar (@stamparm) > > E-mail: miroslav.stampar (at) gmail.com > PGP Key ID: 0xB5397B1B > |
