Re: [sqlmap-users] Command line option for resuming sessions
Brought to you by:
inquisb
Menu
▾
▴
Re: [sqlmap-users] Command line option for resuming sessions
|
From: Miroslav S. <mir...@gm...> - 2012-05-27 19:00:19
|
Hi Anton. ACK and put on TODO list. Kind regards, Miroslav Stampar On Sun, May 27, 2012 at 8:19 PM, Anton Sazonov <ant...@gm...>wrote: > Thanks for answering, Miroslav. > > I must haven't been clear enough in my previous post. What I mean is > that, say, you got a website under your purview, an example.com. > There's a vulnerable script at > http://www.example.com/example.php?id=1&id2=2 and "id" is vulnerable. > > Say, there's another SQLi in http://www.example.com/exampe2.asp". > > Basically, every time I need to --dbs, --columns or whatever, I have > to _type in exactly the same URL and parameters_ which are _already > stored in the log file_. What I'm proposing to do is to add an option > to specify a domain name and (optionally) select from a number of > available attacks and go from there. Something like ./sqlmap.py -D > example.com --dbs. > > Otherwise, we, the users, are forced to look up the logs in search of > the vulnerable script and its settings. > > That'd just make things so much simpler for further attacks against > the "victim" server. > > Thanks for your time and the work you put into this, > Anton Sazonov > > On Sun, May 27, 2012 at 6:58 PM, Miroslav Stampar > <mir...@gm...> wrote: > > Hi Anton. > > > > Maybe I am missing something: > > "I must be missing something, but shouldn't there be a command line > > switch to perform the exact same SQLi you did on your target machine" > > > > If you are referring to a normal session resumal then it's automatically > > being done. If you mean that you want to use information of SQLi from one > > target to another then there is no such option. > > > > If you need that first scenario then please tell which version do you > use? > > > > Kind regards, > > Miroslav Stampar > > > > On Sat, May 26, 2012 at 1:32 AM, Anton Sazonov <ant...@gm...> > > wrote: > >> > >> Hello there, > >> > >> I must be missing something, but shouldn't there be a command line > >> switch to perform the exact same SQLi you did on your target machine? > >> I do realize that the vulnerabilities are stored in > >> $SQLMAP/output/$HOSTNAME/log and are rather easy to replicate, if > >> frustrating. > >> > >> Wouldn't that be easier for the end-users to just add an option to > >> specify the already injected and confirmed server in the command line, > >> as in, for example, ./sqlmap.py -h example.com --dbs? > >> > >> Couldn't find it in the documentation for the life of me. Apologies if > >> it has already been brought up. > >> > >> Thanks, > >> Anton > >> > >> > >> > ------------------------------------------------------------------------------ > >> Live Security Virtual Conference > >> Exclusive live event will cover all the ways today's security and > >> threat landscape has changed and how IT managers can respond. > Discussions > >> will include endpoint security, mobile security and the latest in > malware > >> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ > >> _______________________________________________ > >> sqlmap-users mailing list > >> sql...@li... > >> https://lists.sourceforge.net/lists/listinfo/sqlmap-users > > > > > > > > > > -- > > Miroslav Stampar > > http://about.me/stamparm > -- Miroslav Stampar http://about.me/stamparm |
