[sqlmap-users] HTTP POST method depends on HTTP data value to be posted

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

Hi,

I have been testing a web application that is making a POST request with no
data (Content-Length: 0). When I save a captured request to a file for
fuzzing with sqlmap I get the error message "HTTP POST method depends on
HTTP data value to be posted".

The request looks like this (modified to protect the guilty): -

POST /include/cgiscript.php/function_name?p1=123&p2=A HTTP/1.1
Host: test.local
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:14.0) Gecko/20100101
Firefox/14.0.1
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-gb,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
X-Requested-With: XMLHttpRequest
Referer: https://test.local/include/cgiscript.php/other_function
Cookie: o4wPHP=1;
a_param=%22%5B%7B%5C%22lots_of_data%5C%22%7D%5D%22; Pragma: no-cache
Cache-Control: no-cache
Content-Length: 0


I'm using a git clone, I'm at: -
commit f305dde413afde13d64422a4e5425edeb4ecd22a
Author: Miroslav Stampar <mir...@gm...>
Date:   Sat Nov 10 11:01:29 2012 +0100

I've made the following change as a work-around for me.

diff --git a/lib/core/target.py b/lib/core/target.py
index ec0bd8e..7873bc9 100644
--- a/lib/core/target.py
+++ b/lib/core/target.py
@@ -82,7 +82,8 @@ def __setRequestParams():
     # Perform checks on POST parameters
     if conf.method == HTTPMETHOD.POST and not conf.data:
         errMsg = "HTTP POST method depends on HTTP data value to be posted"
-        raise sqlmapSyntaxException, errMsg
+       logger.warn(errMsg) # added by eh
+        #raise sqlmapSyntaxException, errMsg

     if conf.data:
         conf.method = HTTPMETHOD.POST

-----------------------------

I haven't had time to research this further, but I thought I'd raise it in
case others find it useful and in case it helps improve sqlmap.

Is the post the web application is having Firefox make legal? Is this
over-zealous protocol enforcement by sqlmap?
Is there a better way than to do this, that I'm unaware of (missing), like
a command argument?
Or should an enhancement be made to allow HTTP POSTs with 0 data (at least
for XMLHttpRequest)?

Thanks,
Abu
