Re: [sqlmap-users] A incorrectly identified "tainted" parameter

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

The developer uses -1 to say no menu should be shown, other values have specific meaning. The suggestion to use %2d for the - sign seems to have worked.  I just found another such case for the _ character as part of a parameter name.  

I am a little surprised that it is assumed more likely that a person captured the requests while doing manual injection testing than the application uses - and _ symbols in their application. I guess using them is a bit of a security measure :-)

SQLMap sure is a great tool and amazingly thorough. I am also pretty impressed with the documentation, it is well written and covers most of what a beginner would want to know.  I appreciate it

Thanks!
Bob

----- Original Message ----- 
  From: Miroslav Stampar 
  To: Bob Simonoff 
  Cc: sql...@li... 
  Sent: Sunday, December 11, 2011 3:37 AM
  Subject: Re: [sqlmap-users] A incorrectly identified "tainted" parameter

  Hi.

  Thing is that in general negative parameter values are a leftover from manual injection attempts causing problems in some cases. Hence the warning/error message. Have you tried just to change that -1 value to 1 for ShowMenu parameter?

  Kind regards

  On Dec 10, 2011 3:23 PM, "Bob Simonoff" <bo...@si...> wrote:

    I received this message:

    [23:28:33] [CRITICAL] you have provided tainted parameter values (ncmb%26ShowMenu=-1) with most probably leftover chars from manual sql injection tests (;()') or non-valid numerical value. Please, always use only valid parameter values so sqlmap could be able to do a valid run.

    Here is a portion of the POSTed data that surrounds this parameter. 

    fhdn%260=&fhdn%26=&ncmb%26ShowMenu=-1&fhdn%26isYahooGobutton=N

    The parameters were captured directly using burpsuite while I was running the UI. I was performing no injection testing when this was captured. I looked for each of the listed parameters in the posted data and they do not appear. (note there are more parameters but I would rather send those privately if possible).

    I am running a recent svn extract of the dev stream (1.0)

    Thanks
    Bob

    ------------------------------------------------------------------------------
    Learn Windows Azure Live!  Tuesday, Dec 13, 2011
    Microsoft is holding a special Learn Windows Azure training event for
    developers. It will provide a great way to learn Windows Azure and what it
    provides. You can attend the event by watching it streamed LIVE online.
    Learn more at http://p.sf.net/sfu/ms-windowsazure
    _______________________________________________
    sqlmap-users mailing list
    sql...@li...
    https://lists.sourceforge.net/lists/listinfo/sqlmap-users