Re: [sqlmap-users] Trouble with "json" like data
Brought to you by:
inquisb
Menu
▾
▴
Re: [sqlmap-users] Trouble with "json" like data
|
From: Miroslav S. <mir...@gm...> - 2014-02-26 07:57:08
|
It should be implemented now. Please update to the latest revision. Kind regards, Miroslav Stampar On Tue, Feb 25, 2014 at 5:20 PM, Miroslav Stampar < mir...@gm...> wrote: > I'll see what can be done tomorrow. Most probably I'll put a support for > this. > > Bye > On Feb 25, 2014 5:03 PM, "Jonathon Brenner (jobrenne)" <job...@ci...> > wrote: > >> To be fair, I frequently see developers use all kinds of crazy >> non-standard JSON "formats." These behaviors are usually indicative of >> poorly developed code that is ripe for exploitation. >> >> When I need to deal with something like this, I manually reformat the >> request into something that sqlmap can deal with. Then I write a simple >> burp extension (or if I'm luckily, use a proxy match and replace rule) to >> reformat the request into the form that the application expects and proxy >> sqlmap's traffic through burp. >> >> -- >> Jonathon Brenner >> >> .:|:.:|:. >> Cisco >> >> From: Miroslav Stampar <mir...@gm...> >> Date: Monday, February 24, 2014 4:52 PM >> To: "Lou...@be..." <Lou...@be...> >> Cc: SqlMap List <sql...@li...> >> Subject: Re: [sqlmap-users] Trouble with "json" like data >> >> Dear Louis. >> >> From when are JSON string values enclosed with single quotes? >> >> Please go to the: http://www.json.org/ and study the official JSON >> forms/structures. >> >> Kind regards, >> Miroslav Stampar >> >> >> On Mon, Feb 24, 2014 at 8:29 PM, <Lou...@be...> wrote: >> >>> Hi, >>> >>> >>> >>> I saw a couple messages saying sqlmap should support json post data now. >>> However, I'm having trouble with a pretty simple payload. I'm using the >>> following request that I extracted from Burp and censored a bit : >>> >>> >>> >>> POST /SomeUrl/ HTTP/1.1 >>> >>> Host: www.SomeUrl.org.uk >>> >>> Proxy-Connection: keep-alive >>> >>> Content-Length: 28 >>> >>> Accept: application/json, text/javascript, */*; q=0.01 >>> >>> Origin: http://www. SomeUrl.org.uk >>> >>> X-Requested-With: XMLHttpRequest >>> >>> User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 >>> (KHTML, like Gecko) Chrome/33.0.1750.117 Safari/537.36 >>> >>> Content-Type: application/json; charset=UTF-8 >>> >>> Referer: http://www. SomeUrl.org.uk/ >>> >>> Accept-Encoding: gzip,deflate,sdch >>> >>> Accept-Language: en-US,en;q=0.8,fr-CA;q=0.6,fr;q=0.4 >>> >>> Cookie: SomeCookies >>> >>> Connection: close >>> >>> >>> >>> {'address':'peanut'} >>> >>> >>> >>> I tried using "sqlmap -r request" or "sqlmap -r request -p address" or >>> with -p "peanut". I also tried adding $$ before and after peanut and trying >>> with -sufix and -prefix to no avail. >>> >>> >>> >>> I also tried a full command line without using the raw request like this >>> (and multiple variant) : >>> >>> >>> >>> python sqlmap.py -u "http://www.someurl.co.uk" --data >>> "{'address':'$peanut$'}" --cookie="somecookies" --prefix="$" --suffix="$" >>> >>> >>> >>> Whatever I'm doing, I'm ending up with a message like : >>> >>> >>> >>> [14:27:08] [INFO] target URL is stable >>> >>> [14:27:08] [CRITICAL] no parameter(s) found for testing in the provided >>> data (e.g. GET parameter 'id' in 'www.site.com/index.php?id=1') >>> >>> >>> >>> Or >>> >>> >>> >>> [14:27:47] [INFO] parsing HTTP request from 'requestFromBurp' >>> >>> [14:27:47] [CRITICAL] all testable parameters you provided are not >>> present within the given request data >>> >>> >>> >>> I tried sqlmap/1.0-dev out of Kali linux and also downloaded the >>> nightlies with GIT. >>> >>> >>> >>> Can you help me ? >>> >>> >>> >>> Thanks >>> >>> >>> >>> Louis >>> >>> >>> >>> >>> >>> >>> >>> >>> ------------------------------------------------------------------------------ >>> Flow-based real-time traffic analytics software. Cisco certified tool. >>> Monitor traffic, SLAs, QoS, Medianet, WAAS etc. with NetFlow Analyzer >>> Customize your own dashboards, set traffic alerts and generate reports. >>> Network behavioral analysis & security monitoring. All-in-one tool. >>> >>> http://pubads.g.doubleclick.net/gampad/clk?id=126839071&iu=/4140/ostg.clktrk >>> _______________________________________________ >>> sqlmap-users mailing list >>> sql...@li... >>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >>> >>> >> >> >> -- >> Miroslav Stampar >> http://about.me/stamparm >> > -- Miroslav Stampar http://about.me/stamparm |
