Re: [sqlmap-users] False positive "tainted" parameter?
Brought to you by:
inquisb
Menu
▾
▴
Re: [sqlmap-users] False positive "tainted" parameter?
|
From: Miroslav S. <mir...@gm...> - 2012-02-14 09:14:03
|
Hi.
Those parenthesis inside are indeed looking like they are "tainting" the
parameter value. Nevertheless, they are a valid parameter value and hence
with the latest commit (r4745), you'll be presented with this kind of
message:
[10:10:46] [WARNING] it appears that you have provided tainted parameter
values ('id=1'') with most probably leftover chars from manual sql
injection tests (;()') or non-valid numerical value. Please, always use
only valid parameter values so sqlmap could be able to properly run
Are you sure you want to continue? [y/N]
where you'll be able to choose by yourself if you want to continue or not.
Kind regards,
Miroslav Stampar
On Mon, Feb 13, 2012 at 5:15 PM, garthoid <gar...@gm...> wrote:
> Hi,
>
> I am encountering this message since my last update of Sqlmap. Version
> 0.9 does not encounter this problem with the same request.
>
> [10:56:28] [INFO] parsing HTTP request from './dump/save.txt'
> [10:56:28] [CRITICAL] you have provided tainted parameter values
> ('amp;icon=stuff.gif</thumbnail><someItem><item id="gate"
> value="/something.cgi"/><item id="report" value="stID(') with most
> probably leftover chars from manual sql injection tests (;()') or
> non-valid numerical value. Please, always use only valid parameter
> values so sqlmap could be able to properly run
>
>
> Here is the fragment that it is complaining about:
>
> &deficon=stuff.gif</thumbnail><someItem><item id="gate"
> value="/something.cgi"/><item id="report"
> value="stID("iC15DBE0F9A7E4F3E86EE5DA47D5A31DC")"/>
>
> Here is the version I am running:
>
> sqlmap/1.0-dev (r4744)
>
> The original request was captured with Burp. It was a clean test with
> no injection or other manipulation happening at that time.
>
> Thoughts?
>
> Thanks in advance,
> Garth
>
>
> ------------------------------------------------------------------------------
> Try before you buy = See our experts in action!
> The most comprehensive online learning library for Microsoft developers
> is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3,
> Metro Style Apps, more. Free future releases when you subscribe now!
> http://p.sf.net/sfu/learndevnow-dev2
> _______________________________________________
> sqlmap-users mailing list
> sql...@li...
> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>
--
Miroslav Stampar
http://about.me/stamparm
|
