Re: [sqlmap-users] SQLi in parameter's name

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

Hi Karel.

This is one of those requests that are in need of a new option/switch among
hundreds of others, where we need to reject because of an easy around
solution. I would not say a thing if this would be used in decent
percentage of runs.

Kind regards,
Miroslav Stampar
On Mar 31, 2013 9:58 PM, "Karel Marhoul" <rez...@se...> wrote:

> Ok, let's have for example following URL:
>
> http://example.com/?name1=value1&name2=value2&name3=value3
>
> If I do something like this:
>
> sqlmap -u http://example.com/?name1=value1&name2=value2&name3=value3
>
> sqlmap wil try inject payloads into parameter values, server headers,
> cookies and so on, but NOT into parameter names.
>
> Proposed parameter should work similar to this:
>
> sqlmap --inject-names -u
> http://example.com/?name1=value1&name2=value2&name3=value3
>
> And sqlmap will AUTOMATICALLY try to inject payload also into parameter
> names.
>
> Why I want this parameter instead of manually inserting '*' symbol?
> Because I often use sqlmap in conjunction with burp, where I take burp's
> log and give it to sqlmap for testing (via -l parameter). In this
> scenario, it would be painful to insert '*' after each parameter name.
>
> I hope I expressed it clear:)
>
> Best regards and happy easter
>
> Karel Marhoul
>
> On 31.3.2013 0:11, mitchell wrote:
> > So you have an option to inject wherever you want, but you want another
> > option to inject "inside parameter names"? Maybe, I am missing something
> > here...
> >
> > ~~
> > # m.
> >
> >
> > On Thu, Mar 28, 2013 at 8:06 PM, Karel Marhoul <rez...@se...
> > <mailto:rez...@se...>> wrote:
> >
> >     Hello,
> >
> >     yes '*' works, but I have to put it behind parameter's name
> manually. I
> >     wish there was an option to tell sqlmap to automatically try SQLi not
> >     only inside parameter values but also inside parameter names. Is is
> >     possible to add such functionality?
> >
> >     Kind Regards
> >
> >     Karel Marhoul
> >
> >     On 28.3.2013 15:41, Miroslav Stampar wrote:
> >      > Hi.
> >      >
> >      > Just use custom injection mark character.
> >      >
> >      > For example:
> >      >
> >      > python sqlmap.py -u "http://www.target.com/vuln.php?id*=1"
> >      >
> >      > will try to inject into the parameter name id.
> >      >
> >      > Kind regards,
> >      > Miroslav Stampar
> >      >
> >      > On Wed, Mar 27, 2013 at 11:02 AM, a a <rez...@se...
> >     <mailto:rez...@se...>
> >      > <mailto:rez...@se... <mailto:rez...@se...>>>
> wrote:
> >      >
> >      >     Hello,
> >      >
> >      >     During one assessment I have found the web application that is
> >      >     vulnerable to
> >      >     the SQL injection not in parameter values but in parameter
> >     names itself.
> >      >
> >      >     This is something sqlmap is unable to find. Is it possible to
> >     add such
> >      >     functionality (e.g. by optional parameter) to sqlmap?
> >      >
> >      >     Regards
> >      >
> >      >     Karel Marhoul
> >      >
> >      >
> >
> ------------------------------------------------------------------------------
> >      >     Own the Future-Intel&reg; Level Up Game Demo Contest 2013
> >      >     Rise to greatness in Intel's independent game demo contest.
> >      >     Compete for recognition, cash, and the chance to get your game
> >      >     on Steam. $5K grand prize plus 10 genre and skill prizes.
> >      >     Submit your demo by 6/6/13.
> http://p.sf.net/sfu/intel_levelupd2d
> >      >     _______________________________________________
> >      >     sqlmap-users mailing list
> >      > sql...@li...
> >     <mailto:sql...@li...>
> >      >     <mailto:sql...@li...
> >     <mailto:sql...@li...>>
> >      > https://lists.sourceforge.net/lists/listinfo/sqlmap-users
> >      >
> >      >
> >      >
> >      >
> >      > --
> >      > Miroslav Stampar
> >      > http://about.me/stamparm
> >
> >
> >
> ------------------------------------------------------------------------------
> >     Own the Future-Intel(R) Level Up Game Demo Contest 2013
> >     Rise to greatness in Intel's independent game demo contest. Compete
> >     for recognition, cash, and the chance to get your game on Steam.
> >     $5K grand prize plus 10 genre and skill prizes. Submit your demo
> >     by 6/6/13. http://altfarm.mediaplex.com/ad/ck/12124-176961-30367-2
> >     _______________________________________________
> >     sqlmap-users mailing list
> >     sql...@li...
> >     <mailto:sql...@li...>
> >     https://lists.sourceforge.net/lists/listinfo/sqlmap-users
> >
> >
>
>
>
> ------------------------------------------------------------------------------
> Own the Future-Intel(R) Level Up Game Demo Contest 2013
> Rise to greatness in Intel's independent game demo contest. Compete
> for recognition, cash, and the chance to get your game on Steam.
> $5K grand prize plus 10 genre and skill prizes. Submit your demo
> by 6/6/13. http://altfarm.mediaplex.com/ad/ck/12124-176961-30367-2
> _______________________________________________
> sqlmap-users mailing list
> sql...@li...
> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>