Re: [sqlmap-users] SQLi in parameter's name

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

this will inject before name:
python sqlmap.py -u "http://www.target.com/vuln.php?*id=1"
this will inject after name:
python sqlmap.py -u "http://www.target.com/vuln.php?id*=1"

this will inject into name:
python sqlmap.py -u "http://www.target.com/vuln.php?i*d=1"

this will inject before value:
python sqlmap.py -u "http://www.target.com/vuln.php?id=*1"

this will inject after value:
python sqlmap.py -u "http://www.target.com/vuln.php?id=1*"

Which combination do you need? We are not going to make a new switch for
this kind of things because you can use * to mark your "special need".

Kind regards,
Miroslav Stampar
On Thu, Mar 28, 2013 at 7:06 PM, Karel Marhoul <rez...@se...> wrote:

> Hello,
>
> yes '*' works, but I have to put it behind parameter's name manually. I
> wish there was an option to tell sqlmap to automatically try SQLi not only
> inside parameter values but also inside parameter names. Is is possible to
> add such functionality?
>
> Kind Regards
>
> Karel Marhoul
>
> On 28.3.2013 15:41, Miroslav Stampar wrote:
>
>> Hi.
>>
>> Just use custom injection mark character.
>>
>> For example:
>>
>> python sqlmap.py -u "http://www.target.com/vuln.**php?id*=1<http://www.target.com/vuln.php?id*=1>
>> "
>>
>> will try to inject into the parameter name id.
>>
>> Kind regards,
>> Miroslav Stampar
>>
>> On Wed, Mar 27, 2013 at 11:02 AM, a a <rez...@se...
>> <mailto:rez...@se...>> wrote:
>>
>>     Hello,
>>
>>     During one assessment I have found the web application that is
>>     vulnerable to
>>     the SQL injection not in parameter values but in parameter names
>> itself.
>>
>>     This is something sqlmap is unable to find. Is it possible to add such
>>     functionality (e.g. by optional parameter) to sqlmap?
>>
>>     Regards
>>
>>     Karel Marhoul
>>
>>     ------------------------------**------------------------------**
>> ------------------
>>     Own the Future-Intel&reg; Level Up Game Demo Contest 2013
>>     Rise to greatness in Intel's independent game demo contest.
>>     Compete for recognition, cash, and the chance to get your game
>>     on Steam. $5K grand prize plus 10 genre and skill prizes.
>>     Submit your demo by 6/6/13. http://p.sf.net/sfu/intel_**levelupd2d<http://p.sf.net/sfu/intel_levelupd2d>
>>     ______________________________**_________________
>>     sqlmap-users mailing list
>>     sqlmap-users@lists.**sourceforge.net<sql...@li...>
>>     <mailto:sqlmap-users@lists.**sourceforge.net<sql...@li...>
>> >
>>     https://lists.sourceforge.net/**lists/listinfo/sqlmap-users<https://lists.sourceforge.net/lists/listinfo/sqlmap-users>
>>
>>
>>
>>
>> --
>> Miroslav Stampar
>> http://about.me/stamparm
>>
>
>

-- 
Miroslav Stampar
http://about.me/stamparm