Re: [sqlmap-users] Feature Request - Select Specific Test
Brought to you by:
inquisb
Menu
▾
▴
Re: [sqlmap-users] Feature Request - Select Specific Test
|
From: Miroslav S. <mir...@gm...> - 2012-06-14 14:16:44
|
Find it unhidden with the latest r5123. Kind regards On Thu, Jun 14, 2012 at 3:51 PM, Miroslav Stampar < mir...@gm...> wrote: > Ok. Cool :) > > We'll most probably unhide that switch these days as it's a quite usable > one > > Kind regards > > > On Thu, Jun 14, 2012 at 3:49 PM, Yori Kvitchko < > yo...@co...> wrote: > >> Miroslav, >> >> It looks like --test-filter is what I need. I don't need a custom suffix >> and prefix, I just need to force sqlmap to use a specific test it already >> has in its collection of payloads.xml and only that test. If I can use >> test-filter to select exactly the test I need and sqlmap will only use that >> one, then I think my needs are filled. >> >> Much appreciated. >> >> - Yori >> >> On 6/13/2012 6:42 PM, Miroslav Stampar wrote: >> >> Hi Yori. >> >> "With that in mind it makes sense to be able to specify a test/payload >> combination that you have found and you know is working." >> >> We already have two mechanisms for such thing: >> 1) --prefix/--suffix where you can specify what are the prefix and suffix >> of SQL injection vector (e.g. --prefix="'" --suffix="-- " ) >> 2) --test-filter (hidden this moment) where you can target a specific >> test by it's name or payload (e.g. --test-filter="ROW" would trigger MySQL >> error-based injection test based on old ROW(..,..)>... technique) >> >> Now, please, if you have something other on your mind please tell so we >> could discuss and maybe find some other mechanism (if those 2 don't satisfy >> your needs) >> >> Kind regards, >> Miroslav Stampar >> >> On Wed, Jun 13, 2012 at 10:19 PM, Yori Kvitchko < >> yo...@co...> wrote: >> >>> Hey Everyone, >>> >>> New to the list but have been using sqlmap for a while now. I recently >>> participated in a CTF with an interesting blind, filter bypass sql >>> injection. Lots of restrictions. I set a challenge for myself to solve >>> it using sqlmap and managed to get it working with some effort. Of the >>> changes I had to make to get it to work included modifications to >>> queries.xml as well as specific arguments, but most of what I'm going to >>> request here is about payloads.xml. >>> >>> In trying to solve the challenge, I realized I needed to make sqlmap >>> laser focus on a single test. This was both for false negative >>> reduction, number of queries sent, and time limit. I did this myself by >>> removing every other test from payloads.xml but it brought to mind the >>> idea of being able to specify a test via command line arguments. You can >>> specify pretty much everything else on the command line, so the added >>> granularity would be nice. >>> >>> My philosophy on sql injection is that testing for it should be done >>> manually, then once found, get a tool like sqlmap to work with it and >>> perform all the time consuming brute forcing work for you. With that in >>> mind it makes sense to be able to specify a test/payload combination >>> that you have found and you know is working. >>> >>> Thanks for your consideration. Excellent work on the tool. >>> >>> - Yori >>> >>> >>> ------------------------------------------------------------------------------ >>> Live Security Virtual Conference >>> Exclusive live event will cover all the ways today's security and >>> threat landscape has changed and how IT managers can respond. Discussions >>> will include endpoint security, mobile security and the latest in malware >>> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ >>> _______________________________________________ >>> sqlmap-users mailing list >>> sql...@li... >>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >>> >> >> >> >> -- >> Miroslav Stampar >> http://about.me/stamparm >> >> >> > > > -- > Miroslav Stampar > http://about.me/stamparm > -- Miroslav Stampar http://about.me/stamparm |
