Re: [sqlmap-users] querystrings with *'s and no spaces
Brought to you by:
inquisb
From: Miroslav S. <mir...@gm...> - 2014-10-01 11:37:16
|
-u "www.target.com/vuln?string=the" --tamper=space2comment bye p.s. please don't use any SQLi inside provided parameter values On Wed, Oct 1, 2014 at 11:17 AM, Robin Wood <ro...@di...nja> wrote: > It was pointed out that I should be URL encoding the *s which removes that > as a problem but it still isn't quite working properly, probably because of > the spaces. Got limited time on this test so going to leave it for now and > will build a lab to look at it properly later. > > Robin > > On 1 October 2014 09:54, Robin Wood <ro...@di...nja> wrote: > >> I've got the following vulnerable querystring value: >> >> string=the%%22/**/and/**/1=1/**/and/**/%22%%22=%22 >> >> Where with 1=1 I get data back, 1=0 is false so no data. >> >> I can't use spaces which is why I've have to go for /**/. >> >> How do I tell sqlmap where the injection point is and to use /**/ instead >> of spaces? >> >> Robin >> > > > > ------------------------------------------------------------------------------ > Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer > Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports > Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper > Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer > > http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/ostg.clktrk > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > > -- Miroslav Stampar http://about.me/stamparm |