Re: [sqlmap-users] %26 as part of a POST parameter name on MSWindows
Brought to you by:
inquisb
Menu
▾
▴
Re: [sqlmap-users] %26 as part of a POST parameter name on MSWindows
|
From: Bob S. <bo...@si...> - 2011-11-22 03:55:14
|
Miroslav, thanks, that is exactly the problem. Unfortunately, when I download the latest version, svn exits on me when my virus checker complains about one of the exe files it determined was a virus. I will have to learn svn to see if I can have it download everything but that file.
I am using burpsuite as a proxy. I guess I could copy/paste everything into a response file, but as Miroslav says, that would give the same result (but would be much easier. So thanks, I may have to play with that. Burpsuite unfortunately does have logging with the free version anymore.
Thanks everyone else too. I will try those if I can not get the latest version working.
Bob
----- Original Message -----
From: Miroslav Stampar
To: Brandon Perry
Cc: sql...@li...
Sent: Monday, November 21, 2011 4:20 PM
Subject: Re: [sqlmap-users] %26 as part of a POST parameter name on MSWindows
Hi Brandon.
It's a bit complicated. That %26 coincidentally decoded to the default delimiter value '&' so that probably caused problems in your case with sqlmap.
Please update to the latest revision and try it again.
Kind regards,
Miroslav Stampar
On Mon, Nov 21, 2011 at 8:45 PM, Brandon Perry <bpe...@gm...> wrote:
You may also grab a copy of the free edition of BurpSuite, record the
POST response, and save that to a file.
Then use the -r flag and pass the burp response to sqlmap. Will be
easier to work with.
On Mon, Nov 21, 2011 at 1:44 PM, Brandon Perry
<bpe...@gm...> wrote:
> I would say just use a virtual machine. Grab a copy of backtrack,
> update sqlmap, and start from there.
>
> VirtualBox is a free, open source virtualization suite that runs on
> windows. You will have a much better time interacting with sqlmap.
>
> On Mon, Nov 21, 2011 at 1:39 PM, Iago Sousa <146...@gm...> wrote:
>> What is the fld?
>>
>> On Mon, Nov 21, 2011 at 10:30 AM, Bob Simonoff <bo...@si...>
>> wrote:
>>>
>>> I have been asked to test a web site for SQL injection. The website uses
>>> POST and the parameter names all have the 3 characters %26 (percent 26) as a
>>> separator. This makes thinks difficult, since I am running sqlmap from
>>> windows. First windows is trying to substitute %2 as the second argument of
>>> the command line, but python is also at play here. I have not found an
>>> escape sequence that allows both windows and python to be happy. I have
>>> tried various combinations of ^, \, and %% to no avail.
>>>
>>> So an example of post data would be:
>>> --data="fld%26First=Bob&fld%26Last=Jones"
>>>
>>> Can anyone provide a recommendation?
>>>
>>> Thanks
>>> Bob
>>>
>>> Apologies if this appears twice, I had trouble with my subscription
>>>
>>> ------------------------------------------------------------------------------
>>> All the data continuously generated in your IT infrastructure
>>> contains a definitive record of customers, application performance,
>>> security threats, fraudulent activity, and more. Splunk takes this
>>> data and makes sense of it. IT sense. And common sense.
>>> http://p.sf.net/sfu/splunk-novd2d
>>> _______________________________________________
>>> sqlmap-users mailing list
>>> sql...@li...
>>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>>>
>>
>>
>>
>> --
>> Iago Sousa
>>
>>
>> ------------------------------------------------------------------------------
>> All the data continuously generated in your IT infrastructure
>> contains a definitive record of customers, application performance,
>> security threats, fraudulent activity, and more. Splunk takes this
>> data and makes sense of it. IT sense. And common sense.
>> http://p.sf.net/sfu/splunk-novd2d
>> _______________________________________________
>> sqlmap-users mailing list
>> sql...@li...
>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>>
>>
>
>
>
> --
> http://volatile-minds.blogspot.com -- blog
> http://www.volatileminds.net -- website
>
--
http://volatile-minds.blogspot.com -- blog
http://www.volatileminds.net -- website
------------------------------------------------------------------------------
All the data continuously generated in your IT infrastructure
contains a definitive record of customers, application performance,
security threats, fraudulent activity, and more. Splunk takes this
data and makes sense of it. IT sense. And common sense.
http://p.sf.net/sfu/splunk-novd2d
_______________________________________________
sqlmap-users mailing list
sql...@li...
https://lists.sourceforge.net/lists/listinfo/sqlmap-users
--
Miroslav Stampar
http://about.me/stamparm
------------------------------------------------------------------------------
------------------------------------------------------------------------------
All the data continuously generated in your IT infrastructure
contains a definitive record of customers, application performance,
security threats, fraudulent activity, and more. Splunk takes this
data and makes sense of it. IT sense. And common sense.
http://p.sf.net/sfu/splunk-novd2d
------------------------------------------------------------------------------
_______________________________________________
sqlmap-users mailing list
sql...@li...
https://lists.sourceforge.net/lists/listinfo/sqlmap-users
|
