Re: [sqlmap-users] tag FORM not supported
Brought to you by:
inquisb
Menu
▾
▴
Re: [sqlmap-users] tag FORM not supported
|
From: Miroslav S. <mir...@gm...> - 2012-08-09 11:48:53
|
Hi. This is solely coming from a 3rd party library ClientForm [1] and we don't like to change anything inside those. Nevertheless, find it "patched" with the latest commit [2]. Kind regards, Miroslav Stampar [1] http://pypi.python.org/pypi/ClientForm/0.2.10 [2] https://github.com/sqlmapproject/sqlmap/issues/143 On Thu, Aug 9, 2012 at 12:42 PM, Chris Oakley <chr...@gm...>wrote: > Even though it's wrong to use GET with this enctype, I think it will still > work: > > http://oi49.tinypic.com/2yn2r9w.jpg > > So if this is interacting with a database, there could still be an > injection. Perhaps the check that sqlmap does is too simplistic? > > Regards > > Chris > > On 9 August 2012 11:23, Marco Mirandola <mm...@gm...> wrote: > >> But rather than check enctype = "multipart / form-data", which in my case >> does not include any upload (see attached html), because not only excludes >> only the possible upload? >> we are in the attached example: >> >> 2 select (combobox) >> 3 checkboxes >> >> both valid for the injection ... >> >> >> >> ------------------------------------------------------------------------------ >> Live Security Virtual Conference >> Exclusive live event will cover all the ways today's security and >> threat landscape has changed and how IT managers can respond. Discussions >> will include endpoint security, mobile security and the latest in malware >> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ >> _______________________________________________ >> sqlmap-users mailing list >> sql...@li... >> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >> >> > -- Miroslav Stampar http://about.me/stamparm |
