Re: [sqlmap-users] Feature Request - Select Specific Test
Brought to you by:
inquisb
Menu
▾
▴
Re: [sqlmap-users] Feature Request - Select Specific Test
|
From: Miroslav S. <mir...@gm...> - 2012-06-13 22:42:34
|
Hi Yori. "With that in mind it makes sense to be able to specify a test/payload combination that you have found and you know is working." We already have two mechanisms for such thing: 1) --prefix/--suffix where you can specify what are the prefix and suffix of SQL injection vector (e.g. --prefix="'" --suffix="-- " ) 2) --test-filter (hidden this moment) where you can target a specific test by it's name or payload (e.g. --test-filter="ROW" would trigger MySQL error-based injection test based on old ROW(..,..)>... technique) Now, please, if you have something other on your mind please tell so we could discuss and maybe find some other mechanism (if those 2 don't satisfy your needs) Kind regards, Miroslav Stampar On Wed, Jun 13, 2012 at 10:19 PM, Yori Kvitchko < yo...@co...> wrote: > Hey Everyone, > > New to the list but have been using sqlmap for a while now. I recently > participated in a CTF with an interesting blind, filter bypass sql > injection. Lots of restrictions. I set a challenge for myself to solve > it using sqlmap and managed to get it working with some effort. Of the > changes I had to make to get it to work included modifications to > queries.xml as well as specific arguments, but most of what I'm going to > request here is about payloads.xml. > > In trying to solve the challenge, I realized I needed to make sqlmap > laser focus on a single test. This was both for false negative > reduction, number of queries sent, and time limit. I did this myself by > removing every other test from payloads.xml but it brought to mind the > idea of being able to specify a test via command line arguments. You can > specify pretty much everything else on the command line, so the added > granularity would be nice. > > My philosophy on sql injection is that testing for it should be done > manually, then once found, get a tool like sqlmap to work with it and > perform all the time consuming brute forcing work for you. With that in > mind it makes sense to be able to specify a test/payload combination > that you have found and you know is working. > > Thanks for your consideration. Excellent work on the tool. > > - Yori > > > ------------------------------------------------------------------------------ > Live Security Virtual Conference > Exclusive live event will cover all the ways today's security and > threat landscape has changed and how IT managers can respond. Discussions > will include endpoint security, mobile security and the latest in malware > threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > -- Miroslav Stampar http://about.me/stamparm |
