Re: [sqlmap-users] SQLmap -l option bug
Brought to you by:
inquisb
Menu
▾
▴
Re: [sqlmap-users] SQLmap -l option bug
|
From: Miroslav S. <mir...@gm...> - 2012-10-09 08:30:31
|
Hi Karel. Strictly speaking there is no bug here. If you take a look carefully into the HTTP request inside you'll see that there is no mention of either HTTPS nor 443 inside the request itself. It seems like the request came from the https page (referer header), but landed toward the HTTP land. I would suggest you to just try to append the :443 to the Host header value (Host: www.xxx.cz -> Host: www.xxx.cz:443) Kind regards, Miroslav Stampar On Sun, Oct 7, 2012 at 1:37 PM, Karel Marhoul <rez...@se...> wrote: > Hello, I came across a bug while using sqlmap with -l parameter. I have > burp log file with following content (only one request to https port): > > ====================================================== > 12:40:22 https://www.xxx.cz:443 [81.91.80.92] > ====================================================== > GET > > /index.php?option=com_thumber&view=thumb&format=image&path=images/cups/web-xxx-klub_ikona-spion.jpg&newX=160&newY=120 > HTTP/1.1 > Host: www.xxx.cz > User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:15.0) Gecko/20100101 > Firefox/15.0.1 > Accept: image/png,image/*;q=0.8,*/*;q=0.5 > Accept-Language: en-us,en;q=0.5 > Accept-Encoding: gzip, deflate > Connection: keep-alive > Referer: https://www.xxx.cz/ > Cookie: __utma=148540003.1998141124.1349164485.1349423437.1349599213.20; > > __utmz=148540003.1349164485.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); > theme_cookie=life; > e6da1f1e61cfd387eff8fb211613796e=3c29965kggoo45p49dhrs1npq0; > __utmc=148540003 > Cache-Control: max-age=0 > > ====================================================== > > Then I start sqlmap this way: > > ./sqlmap.py -l /root/burp.log --batch --threads=10 --scope=www.xxx.cz > > And sqlmap instead of sending request to https (443) port it will use > http (80) port instead: > > --------------------------------------------------------- > [13:21:55] [INFO] using regular expression 'www.xxx.cz' for filtering > targets > [13:21:55] [INFO] sqlmap parsed 1 testable requests from the targets list > [13:21:55] [INFO] url 1: > GET > > http://www.xxx.cz:80/index.php?option=com_thumber&view=thumb&format=image&path=images/cups/web-xxx-klub_ikona-spion.jpg&newX=160&newY=120 > Cookie: __utma=148540003.1998141124.1349164485.1349423437.1349599213.20; > > __utmz=148540003.1349164485.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); > theme_cookie=life; > e6da1f1e61cfd387eff8fb211613796e=3c29965kggoo45p49dhrs1npq0; > __utmc=148540003 > do you want to test this url? [Y/n/q] > > Y > [snip] > --------------------------------------------------------- > > Could you please fix this? > > Regards > > Karel Marhoul > > > ------------------------------------------------------------------------------ > Don't let slow site performance ruin your business. Deploy New Relic APM > Deploy New Relic app performance management and know exactly > what is happening inside your Ruby, Python, PHP, Java, and .NET app > Try New Relic at no cost today and get our sweet Data Nerd shirt too! > http://p.sf.net/sfu/newrelic-dev2dev > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > -- Miroslav Stampar http://about.me/stamparm |
