Re: [sqlmap-users] SQLi in parameter's name
Brought to you by:
inquisb
Menu
▾
▴
Re: [sqlmap-users] SQLi in parameter's name
|
From: Miroslav S. <mir...@gm...> - 2013-03-28 14:41:25
|
Hi. Just use custom injection mark character. For example: python sqlmap.py -u "http://www.target.com/vuln.php?id*=1" will try to inject into the parameter name id. Kind regards, Miroslav Stampar On Wed, Mar 27, 2013 at 11:02 AM, a a <rez...@se...> wrote: > Hello, > > During one assessment I have found the web application that is vulnerable > to > the SQL injection not in parameter values but in parameter names itself. > > This is something sqlmap is unable to find. Is it possible to add such > functionality (e.g. by optional parameter) to sqlmap? > > Regards > > Karel Marhoul > > > ------------------------------------------------------------------------------ > Own the Future-Intel® Level Up Game Demo Contest 2013 > Rise to greatness in Intel's independent game demo contest. > Compete for recognition, cash, and the chance to get your game > on Steam. $5K grand prize plus 10 genre and skill prizes. > Submit your demo by 6/6/13. http://p.sf.net/sfu/intel_levelupd2d > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > -- Miroslav Stampar http://about.me/stamparm |
