Re: [sqlmap-users] Injection in Host: header

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

I might be able to take a stab at hacking something up - where would I attempt to add this functionality?

--Anindya

________________________________
 From: Miroslav Stampar <mir...@gm...>
To: A C <ani...@ya...> 
Cc: "sql...@li..." <sql...@li...> 
Sent: Wednesday, December 14, 2011 11:03 AM
Subject: Re: [sqlmap-users] Injection in Host: header

Hi.

This moment there isn't support for Host header. I won't promise anything but maybe it will be implemented these days.

Kind regards

On Mon, Dec 12, 2011 at 11:26 PM, A C <ani...@ya...> wrote:

Hi sqlmap users,
>
>
>I've successfully used sqlmap to do wonderful things though parameters of web applications but I've recently come across an app which seems to have a possible injection flaw in the Host: header field. in other words, if I put a single quote (or other SQL) in the Host: header with my normal HTTP request, I will get back a MySQL error similar to the following:
>
>
>Error: <br />1064: You have an error in your SQL syntax; check the manual that c
>orresponds to your MySQL server version for the right syntax to use near 'ORDER 
>BY pag_gr desc, pag_cat desc, pag_ide desc, sit_typ desc' at line 1
>
>
>
>I'm can't seem to find a way to use sqlmap to perform its normal magic - is there a way to do this?
>
>
>Thanks!
>--Anindya
>------------------------------------------------------------------------------
>Learn Windows Azure Live!  Tuesday, Dec 13, 2011
>Microsoft is holding a special Learn Windows Azure training event for
>developers. It will provide a great way to learn Windows Azure and what it
>provides. You can attend the event by watching it streamed LIVE online.
>Learn more at http://p.sf.net/sfu/ms-windowsazure
>_______________________________________________
>sqlmap-users mailing list
>sql...@li...
>https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>
>

-- 
Miroslav Stampar
http://about.me/stamparm