Re: [sqlmap-users] double quite problem
Brought to you by:
inquisb
Menu
▾
▴
Re: [sqlmap-users] double quite problem
|
From: Miroslav S. <mir...@gm...> - 2013-03-11 11:36:56
|
Hi. This is wrong way to do it. Proper way is to escape double quotes with backslash (\) on Windows OS (when calling python interpreter). Example: python sqlmap.py -u .... --prefix="*\"*" ..... Kind regards, Miroslav Stampar On Sun, Mar 10, 2013 at 10:35 AM, lars peters <lar...@ma...> wrote: > hello problem is solved with more double quotes on cmd two "" = " > > but still injection does not work > > > > ----- Original Message ----- > > From: Miroslav Stampar > > Sent: 03/10/13 07:38 PM > > To: lars peters > > Subject: Re: double quite problem > > > Hi. > > It's not filtered by sqlmap but by OS command prompt. Which OS do you use? > > Have you tried to echo that prefix string (e.g. echo "...) to see what's > happening? > > Kind regards, > Miroslav Stampar > Dana 10.3.2013. 09:19 "lars peters" <lar...@ma...> je napisao/la: >> >> hello >> >> i am trying to test a web app with injection in the x-forwarded-for >> header and sqlmap filters out the injection chars. >> >> the injection is 1"' or 1'" and sqlmap changes to 1' or 1" >> >> sqlmap.py -u "http://www.testing/vuln/" --prefix=" ' " " >> --headers="x-forwarded-for: *" <---is filtered >> >> sqlmap.py -u "http://www.testing/vuln/" --prefix=" " " >> --headers="x-forwarded-for: * " " <---is filtered >> >> i put the spaces there to see. >> >> is there a fix for this? >> >> regards lars >> > > -- Miroslav Stampar http://about.me/stamparm |
