Re: [sqlmap-users] Feature Request - Select Specific Test
Brought to you by:
inquisb
Menu
▾
▴
Re: [sqlmap-users] Feature Request - Select Specific Test
|
From: Miroslav S. <mir...@gm...> - 2012-06-14 13:51:20
|
Ok. Cool :) We'll most probably unhide that switch these days as it's a quite usable one Kind regards On Thu, Jun 14, 2012 at 3:49 PM, Yori Kvitchko < yo...@co...> wrote: > Miroslav, > > It looks like --test-filter is what I need. I don't need a custom suffix > and prefix, I just need to force sqlmap to use a specific test it already > has in its collection of payloads.xml and only that test. If I can use > test-filter to select exactly the test I need and sqlmap will only use that > one, then I think my needs are filled. > > Much appreciated. > > - Yori > > On 6/13/2012 6:42 PM, Miroslav Stampar wrote: > > Hi Yori. > > "With that in mind it makes sense to be able to specify a test/payload > combination that you have found and you know is working." > > We already have two mechanisms for such thing: > 1) --prefix/--suffix where you can specify what are the prefix and suffix > of SQL injection vector (e.g. --prefix="'" --suffix="-- " ) > 2) --test-filter (hidden this moment) where you can target a specific test > by it's name or payload (e.g. --test-filter="ROW" would trigger MySQL > error-based injection test based on old ROW(..,..)>... technique) > > Now, please, if you have something other on your mind please tell so we > could discuss and maybe find some other mechanism (if those 2 don't satisfy > your needs) > > Kind regards, > Miroslav Stampar > > On Wed, Jun 13, 2012 at 10:19 PM, Yori Kvitchko < > yo...@co...> wrote: > >> Hey Everyone, >> >> New to the list but have been using sqlmap for a while now. I recently >> participated in a CTF with an interesting blind, filter bypass sql >> injection. Lots of restrictions. I set a challenge for myself to solve >> it using sqlmap and managed to get it working with some effort. Of the >> changes I had to make to get it to work included modifications to >> queries.xml as well as specific arguments, but most of what I'm going to >> request here is about payloads.xml. >> >> In trying to solve the challenge, I realized I needed to make sqlmap >> laser focus on a single test. This was both for false negative >> reduction, number of queries sent, and time limit. I did this myself by >> removing every other test from payloads.xml but it brought to mind the >> idea of being able to specify a test via command line arguments. You can >> specify pretty much everything else on the command line, so the added >> granularity would be nice. >> >> My philosophy on sql injection is that testing for it should be done >> manually, then once found, get a tool like sqlmap to work with it and >> perform all the time consuming brute forcing work for you. With that in >> mind it makes sense to be able to specify a test/payload combination >> that you have found and you know is working. >> >> Thanks for your consideration. Excellent work on the tool. >> >> - Yori >> >> >> ------------------------------------------------------------------------------ >> Live Security Virtual Conference >> Exclusive live event will cover all the ways today's security and >> threat landscape has changed and how IT managers can respond. Discussions >> will include endpoint security, mobile security and the latest in malware >> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ >> _______________________________________________ >> sqlmap-users mailing list >> sql...@li... >> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >> > > > > -- > Miroslav Stampar > http://about.me/stamparm > > > -- Miroslav Stampar http://about.me/stamparm |
