Re: [sqlmap-users] Param in multi-part post has to change each request

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

FWIW here is what was happening when I tried to use eval:

bperry@ubuntu:~/tools/sqlmap$ ./sqlmap.py -r ~/req2.req --level=3 -o
--eval="import uuid;Name=str(uuid.uuid1())"

    sqlmap/1.0-dev-2dc570d - automatic SQL injection and database takeover
tool
    http://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior
mutual consent is illegal. It is the end user's responsibility to obey all
applicable local, state and federal laws. Developers assume no liability
and are not responsible for any misuse or damage caused by this program

[*] starting at 08:58:56

[08:58:56] [INFO] parsing HTTP request from '/home/bperry/req2.req'
custom injection marking character ('*') found in option '--data'. Do you
want to process it? [Y/n/q] y
[08:58:59] [WARNING] you've provided target URL without any GET parameters
(e.g. www.site.com/article.php?id=1) and without providing any POST
parameters through --data option
do you want to try URI injections in the target URL itself? [Y/n/q] n
[08:59:00] [INFO] testing connection to the target URL
[08:59:00] [CRITICAL] an error occurred while evaluating provided code
('can't assign to operator (<string>, line 1)').

[*] shutting down at 08:59:00

bperry@ubuntu:~/tools/sqlmap$

On Fri, Oct 11, 2013 at 10:23 AM, Brandon Perry
<bpe...@gm...>wrote:

> Hi, I have a request that posts multi-part form data to the server, and
> one of the params is vulnerable to a sqli. However, another param must
> change each request (can be totally random) and I am not sure how to
> approach that. I am sure that a tamper script or something will be the
> correct solution, just not sure how to approach it.
>
> Any thoughts or questions in case I did not explain it well? Basically, I
> would like to replcae this param with a random uuid or something each
> request.
>
> --
> http://volatile-minds.blogspot.com -- blog
> http://www.volatileminds.net -- website
>

-- 
http://volatile-minds.blogspot.com -- blog
http://www.volatileminds.net -- website