Re: [sqlmap-users] Manipulating JSON types to induce SQL errors
Brought to you by:
inquisb
Menu
▾
▴
Re: [sqlmap-users] Manipulating JSON types to induce SQL errors
|
From: Miroslav S. <mir...@gm...> - 2013-11-27 06:38:18
|
Hi Brandon.
sqlmap does the same thing when doing the SQLi against integer-like
parameters. If we have to inject something into those kind of parameters we
automatically enclose the new value with quotes.
Bye
On Nov 26, 2013 8:02 PM, "Brandon Perry" <bpe...@gm...> wrote:
> A technique I find quite useful on web applications that are weakly-typed
> is manipulating the data within JSON to be more susceptible to fuzzing for
> SQLi.
>
> For instance {"id":0} can be made {"id":"0"} as long as the application
> isn't caring what the type of the ID is (rails, python, perl, etc...).
>
> Generally I do this manually, does sqlmap support this type of
> manipulation? If not, would a tamper script be the solution to automating
> this?
>
> Thanks!
>
> --
> http://volatile-minds.blogspot.com -- blog
> http://www.volatileminds.net -- website
>
>
> ------------------------------------------------------------------------------
> Rapidly troubleshoot problems before they affect your business. Most IT
> organizations don't have a clear picture of how application performance
> affects their revenue. With AppDynamics, you get 100% visibility into your
> Java,.NET, & PHP application. Start your 15-day FREE TRIAL of AppDynamics
> Pro!
> http://pubads.g.doubleclick.net/gampad/clk?id=84349351&iu=/4140/ostg.clktrk
> _______________________________________________
> sqlmap-users mailing list
> sql...@li...
> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>
>
|
