[sqlmap-users] Issue when using -p with JSON requests
Brought to you by:
inquisb
Menu
▾
▴
[sqlmap-users] Issue when using -p with JSON requests
|
From: Pieter de B. <pi...@th...> - 2013-03-26 13:56:15
|
Hi all,
My colleague is having an issue with POST/GET behaviour with JSON
requests in sqlmap/1.0-dev-64ba880. He asked me to forward this to the
mailinglist:
I have the following request which i load with the -l flag:
--
POST /blup?param=2 HTTP/1.1
Host: http://test.tld
User-Agent: Test
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/json; charset=utf-8
X-Requested-With: XMLHttpRequest
Content-Length: 116
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache
{"jq":{"Search":false,"nd":1,"PageSize":50,"PageIndex":1,"SortIndex":"","SortOrder":"asc"}}
--
- If i do not specify a parameter with -p then sqlmap will happily test
all parameters (including the ones in the URL) using HTTP POST requests
with the JSON data.
- If i enter 'N' at "JSON like data found in POST data. Do you want to
process it? [Y/n/q] " then it will start to do HTTP GET requests for the
parameters in the URL.
- If i specify '-p param' then sqlmap will start to do HTTP GET requests
and it will leave out the JSON data.
If i do the same request from the command line:
--
sqlmap.py -u "http://test.tld/blup?param=2"
--data="{"jqGridRequest":{"IsSearch":false,"nd":1364299479869,"PageSize":50,"PageIndex":1,"SortIndex":"","SortOrder":"asc"}}"
-p param
--
Then sqlmap will not prompt me for "JSON like data found in POST data.
Do you want to process it? [Y/n/q] " and it will test normally so it
seems to be related to the JSON detection.
Could you have a look at this behaviour and maybe fix sqlmap so that it
will keep doing HTTP POST requests even when the JSON data is not processed?
Thanks!
Pieter
|
