Re: [sqlmap-users] %26 as part of a POST parameter name on MS Windows
Brought to you by:
inquisb
Menu
▾
▴
Re: [sqlmap-users] %26 as part of a POST parameter name on MS Windows
|
From: Miroslav S. <mir...@gm...> - 2011-11-21 21:20:48
|
Hi Brandon. It's a bit complicated. That %26 coincidentally decoded to the default delimiter value '&' so that probably caused problems in your case with sqlmap. Please update to the latest revision and try it again. Kind regards, Miroslav Stampar On Mon, Nov 21, 2011 at 8:45 PM, Brandon Perry <bpe...@gm...>wrote: > You may also grab a copy of the free edition of BurpSuite, record the > POST response, and save that to a file. > > Then use the -r flag and pass the burp response to sqlmap. Will be > easier to work with. > > On Mon, Nov 21, 2011 at 1:44 PM, Brandon Perry > <bpe...@gm...> wrote: > > I would say just use a virtual machine. Grab a copy of backtrack, > > update sqlmap, and start from there. > > > > VirtualBox is a free, open source virtualization suite that runs on > > windows. You will have a much better time interacting with sqlmap. > > > > On Mon, Nov 21, 2011 at 1:39 PM, Iago Sousa <146...@gm...> wrote: > >> What is the fld? > >> > >> On Mon, Nov 21, 2011 at 10:30 AM, Bob Simonoff <bo...@si...> > >> wrote: > >>> > >>> I have been asked to test a web site for SQL injection. The website > uses > >>> POST and the parameter names all have the 3 characters %26 (percent > 26) as a > >>> separator. This makes thinks difficult, since I am running sqlmap from > >>> windows. First windows is trying to substitute %2 as the second > argument of > >>> the command line, but python is also at play here. I have not found an > >>> escape sequence that allows both windows and python to be happy. I have > >>> tried various combinations of ^, \, and %% to no avail. > >>> > >>> So an example of post data would be: > >>> --data="fld%26First=Bob&fld%26Last=Jones" > >>> > >>> Can anyone provide a recommendation? > >>> > >>> Thanks > >>> Bob > >>> > >>> Apologies if this appears twice, I had trouble with my subscription > >>> > >>> > ------------------------------------------------------------------------------ > >>> All the data continuously generated in your IT infrastructure > >>> contains a definitive record of customers, application performance, > >>> security threats, fraudulent activity, and more. Splunk takes this > >>> data and makes sense of it. IT sense. And common sense. > >>> http://p.sf.net/sfu/splunk-novd2d > >>> _______________________________________________ > >>> sqlmap-users mailing list > >>> sql...@li... > >>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users > >>> > >> > >> > >> > >> -- > >> Iago Sousa > >> > >> > >> > ------------------------------------------------------------------------------ > >> All the data continuously generated in your IT infrastructure > >> contains a definitive record of customers, application performance, > >> security threats, fraudulent activity, and more. Splunk takes this > >> data and makes sense of it. IT sense. And common sense. > >> http://p.sf.net/sfu/splunk-novd2d > >> _______________________________________________ > >> sqlmap-users mailing list > >> sql...@li... > >> https://lists.sourceforge.net/lists/listinfo/sqlmap-users > >> > >> > > > > > > > > -- > > http://volatile-minds.blogspot.com -- blog > > http://www.volatileminds.net -- website > > > > > > -- > http://volatile-minds.blogspot.com -- blog > http://www.volatileminds.net -- website > > > ------------------------------------------------------------------------------ > All the data continuously generated in your IT infrastructure > contains a definitive record of customers, application performance, > security threats, fraudulent activity, and more. Splunk takes this > data and makes sense of it. IT sense. And common sense. > http://p.sf.net/sfu/splunk-novd2d > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > -- Miroslav Stampar http://about.me/stamparm |
