Re: [sqlmap-users] Param in multi-part post has to change each request

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

Hi Brandon.

There is no such feature (at least for multipart cases).

Nevertheless, I would suggest you to patch (just for this case):

lib/request/connect.py (line 225):
+        post = post.replace("[RANDSTR]", randomStr()) if post else post

Afterwards, you can put a [RANDSTR] mark into the request file itself at
the place where you want a random value to be.

Kind regards,
Miroslav Stampar

On Fri, Oct 11, 2013 at 5:23 PM, Brandon Perry <bpe...@gm...>wrote:

> Hi, I have a request that posts multi-part form data to the server, and
> one of the params is vulnerable to a sqli. However, another param must
> change each request (can be totally random) and I am not sure how to
> approach that. I am sure that a tamper script or something will be the
> correct solution, just not sure how to approach it.
>
> Any thoughts or questions in case I did not explain it well? Basically, I
> would like to replcae this param with a random uuid or something each
> request.
>
> --
> http://volatile-minds.blogspot.com -- blog
> http://www.volatileminds.net -- website
>
>
> ------------------------------------------------------------------------------
> October Webinars: Code for Performance
> Free Intel webinars can help you accelerate application performance.
> Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most
> from
> the latest Intel processors and coprocessors. See abstracts and register >
> http://pubads.g.doubleclick.net/gampad/clk?id=60134071&iu=/4140/ostg.clktrk
> _______________________________________________
> sqlmap-users mailing list
> sql...@li...
> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>
>

-- 
Miroslav Stampar
http://about.me/stamparm