Re: [sqlmap-users] SQLi in parameter's name
Brought to you by:
inquisb
Menu
▾
▴
Re: [sqlmap-users] SQLi in parameter's name
|
From: mitchell <mit...@tu...> - 2013-03-31 12:19:15
|
Actually, it's not that painful :-) $ cat test.burp | sed '/^GET/s/=/\*=/g ' ====================================================== 3:09:06 PM http://example.com:80 [192.0.43.10] ====================================================== GET /?name1*=value1&name2*=value2&name3*=value3 HTTP/1.1 Host: example.com User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:19.0) Gecko/20100101 Firefox/19.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: bg,en-us;q=0.7,en;q=0.3 Accept-Encoding: gzip, deflate Connection: keep-alive ====================================================== Anyway, it's up to the devs if they want to implement such an option. Happy Easter to you too! ~~ # m. On Sun, Mar 31, 2013 at 12:35 PM, Karel Marhoul <rez...@se...>wrote: > Ok, let's have for example following URL: > > http://example.com/?name1=**value1&name2=value2&name3=**value3<http://example.com/?name1=value1&name2=value2&name3=value3> > > If I do something like this: > > sqlmap -u http://example.com/?name1=**value1&name2=value2&name3=**value3<http://example.com/?name1=value1&name2=value2&name3=value3> > > sqlmap wil try inject payloads into parameter values, server headers, > cookies and so on, but NOT into parameter names. > > Proposed parameter should work similar to this: > > sqlmap --inject-names -u http://example.com/?name1=** > value1&name2=value2&name3=**value3<http://example.com/?name1=value1&name2=value2&name3=value3> > > And sqlmap will AUTOMATICALLY try to inject payload also into parameter > names. > > Why I want this parameter instead of manually inserting '*' symbol? > Because I often use sqlmap in conjunction with burp, where I take burp's > log and give it to sqlmap for testing (via -l parameter). In this scenario, > it would be painful to insert '*' after each parameter name. > > I hope I expressed it clear:) > > Best regards and happy easter > > Karel Marhoul > > > On 31.3.2013 0:11, mitchell wrote: > >> So you have an option to inject wherever you want, but you want another >> option to inject "inside parameter names"? Maybe, I am missing something >> here... >> >> ~~ >> # m. >> >> >> On Thu, Mar 28, 2013 at 8:06 PM, Karel Marhoul <rez...@se... >> <mailto:rez...@se...>> wrote: >> >> Hello, >> >> yes '*' works, but I have to put it behind parameter's name manually. >> I >> wish there was an option to tell sqlmap to automatically try SQLi not >> only inside parameter values but also inside parameter names. Is is >> possible to add such functionality? >> >> Kind Regards >> >> Karel Marhoul >> >> On 28.3.2013 15:41, Miroslav Stampar wrote: >> > Hi. >> > >> > Just use custom injection mark character. >> > >> > For example: >> > >> > python sqlmap.py -u "http://www.target.com/vuln.**php?id*=1<http://www.target.com/vuln.php?id*=1> >> " >> > >> > will try to inject into the parameter name id. >> > >> > Kind regards, >> > Miroslav Stampar >> > >> > On Wed, Mar 27, 2013 at 11:02 AM, a a <rez...@se... >> <mailto:rez...@se...> >> > <mailto:rez...@se... <mailto:rez...@se...>>**> >> wrote: >> > >> > Hello, >> > >> > During one assessment I have found the web application that is >> > vulnerable to >> > the SQL injection not in parameter values but in parameter >> names itself. >> > >> > This is something sqlmap is unable to find. Is it possible to >> add such >> > functionality (e.g. by optional parameter) to sqlmap? >> > >> > Regards >> > >> > Karel Marhoul >> > >> > >> ------------------------------**------------------------------** >> ------------------ >> > Own the Future-Intel® Level Up Game Demo Contest 2013 >> > Rise to greatness in Intel's independent game demo contest. >> > Compete for recognition, cash, and the chance to get your game >> > on Steam. $5K grand prize plus 10 genre and skill prizes. >> > Submit your demo by 6/6/13. http://p.sf.net/sfu/intel_** >> levelupd2d <http://p.sf.net/sfu/intel_levelupd2d> >> > ______________________________**_________________ >> > sqlmap-users mailing list >> > sqlmap-users@lists.**sourceforge.net<sql...@li...> >> <mailto:sqlmap-users@lists.**sourceforge.net<sql...@li...> >> > >> > <mailto:sqlmap-users@lists.**sourceforge.net<sql...@li...> >> >> <mailto:sqlmap-users@lists.**sourceforge.net<sql...@li...> >> >> >> > https://lists.sourceforge.net/**lists/listinfo/sqlmap-users<https://lists.sourceforge.net/lists/listinfo/sqlmap-users> >> > >> > >> > >> > >> > -- >> > Miroslav Stampar >> > http://about.me/stamparm >> >> >> ------------------------------**------------------------------** >> ------------------ >> Own the Future-Intel(R) Level Up Game Demo Contest 2013 >> Rise to greatness in Intel's independent game demo contest. Compete >> for recognition, cash, and the chance to get your game on Steam. >> $5K grand prize plus 10 genre and skill prizes. Submit your demo >> by 6/6/13. http://altfarm.mediaplex.com/**ad/ck/12124-176961-30367-2<http://altfarm.mediaplex.com/ad/ck/12124-176961-30367-2> >> ______________________________**_________________ >> sqlmap-users mailing list >> sqlmap-users@lists.**sourceforge.net<sql...@li...> >> <mailto:sqlmap-users@lists.**sourceforge.net<sql...@li...> >> > >> https://lists.sourceforge.net/**lists/listinfo/sqlmap-users<https://lists.sourceforge.net/lists/listinfo/sqlmap-users> >> >> >> > |
