Re: [sqlmap-users] HTTP POST method depends on HTTP data value to be posted

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

Hi.

Find it fixed with the latest commit [1].

Kind regards,
Miroslav Stampar

[1] https://github.com/sqlmapproject/sqlmap/issues/246

On Mon, Nov 12, 2012 at 1:56 AM, Abuse 007 <abu...@gm...> wrote:

> Hi,
>
> I have been testing a web application that is making a POST request with
> no data (Content-Length: 0). When I save a captured request to a file for
> fuzzing with sqlmap I get the error message "HTTP POST method depends on
> HTTP data value to be posted".
>
> The request looks like this (modified to protect the guilty): -
>
> POST /include/cgiscript.php/function_name?p1=123&p2=A HTTP/1.1
> Host: test.local
> User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:14.0) Gecko/20100101
> Firefox/14.0.1
> Accept: application/json, text/javascript, */*; q=0.01
> Accept-Language: en-gb,en;q=0.5
> Accept-Encoding: gzip, deflate
> Connection: keep-alive
> X-Requested-With: XMLHttpRequest
> Referer: https://test.local/include/cgiscript.php/other_function
> Cookie: o4wPHP=1;
> a_param=%22%5B%7B%5C%22lots_of_data%5C%22%7D%5D%22; Pragma: no-cache
> Cache-Control: no-cache
> Content-Length: 0
>
>
> I'm using a git clone, I'm at: -
> commit f305dde413afde13d64422a4e5425edeb4ecd22a
> Author: Miroslav Stampar <mir...@gm...>
> Date:   Sat Nov 10 11:01:29 2012 +0100
>
> I've made the following change as a work-around for me.
>
> diff --git a/lib/core/target.py b/lib/core/target.py
> index ec0bd8e..7873bc9 100644
> --- a/lib/core/target.py
> +++ b/lib/core/target.py
> @@ -82,7 +82,8 @@ def __setRequestParams():
>      # Perform checks on POST parameters
>      if conf.method == HTTPMETHOD.POST and not conf.data:
>          errMsg = "HTTP POST method depends on HTTP data value to be
> posted"
> -        raise sqlmapSyntaxException, errMsg
> +       logger.warn(errMsg) # added by eh
> +        #raise sqlmapSyntaxException, errMsg
>
>      if conf.data:
>          conf.method = HTTPMETHOD.POST
>
> -----------------------------
>
> I haven't had time to research this further, but I thought I'd raise it in
> case others find it useful and in case it helps improve sqlmap.
>
> Is the post the web application is having Firefox make legal? Is this
> over-zealous protocol enforcement by sqlmap?
> Is there a better way than to do this, that I'm unaware of (missing), like
> a command argument?
> Or should an enhancement be made to allow HTTP POSTs with 0 data (at least
> for XMLHttpRequest)?
>
> Thanks,
> Abu
>
>
> ------------------------------------------------------------------------------
> Everyone hates slow websites. So do we.
> Make your web apps faster with AppDynamics
> Download AppDynamics Lite for free today:
> http://p.sf.net/sfu/appdyn_d2d_nov
> _______________________________________________
> sqlmap-users mailing list
> sql...@li...
> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>
>

-- 
Miroslav Stampar
http://about.me/stamparm