Re: [sqlmap-users] sqlmap parsing XML parameters in web services

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

p.s. example for such request file could be something like this:

POST /vuln.php HTTP/1.1
Accept-Encoding: identity
Accept-charset: ISO-8859-15,utf-8;q=0.7,*;q=0.7
Host: www.site.com
Accept-language: en-us,en;q=0.5
Pragma: no-cache
Cache-control: no-cache,no-store
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
User-agent: sqlmap/1.0-dev-a4f5c1d (http://sqlmap.org)
Connection: close

<xml><bla2 value="1*"/></xml>

On Fri, Jul 20, 2012 at 9:50 AM, Miroslav Stampar <
mir...@gm...> wrote:

> Hi.
>
> For such cases where sqlmap doesn't recognize parameters inside (we have a
> SOAP parameter parsing but we could probably review it) POST request you
> can freely use custom injection mark *.
>
> Also, please update to the latest commit as there was a related "patch"
> for your case (https://github.com/sqlmapproject/sqlmap/issues/108).
>
> Kind regards,
> Miroslav Stampar
>
> On Thu, Jul 19, 2012 at 6:46 PM, * * <pip...@gm...> wrote:
>
>> Is there a way to get sqlmap to recognize xml parameters inside an
>> intercepted SOAP request?  I have a POST request with parameters in xml
>> format inside a SOAP envelope I want to test.  Thanks!
>>
>> ------------------------------------------------------------------------------
>> Live Security Virtual Conference
>> Exclusive live event will cover all the ways today's security and
>> threat landscape has changed and how IT managers can respond. Discussions
>> will include endpoint security, mobile security and the latest in malware
>> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
>> _______________________________________________
>> sqlmap-users mailing list
>> sql...@li...
>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>>
>>
>
>
> --
> Miroslav Stampar
> http://about.me/stamparm
>

-- 
Miroslav Stampar
http://about.me/stamparm