Re: [sqlmap-users] querystrings with *'s and no spaces
Brought to you by:
inquisb
Menu
▾
▴
Re: [sqlmap-users] querystrings with *'s and no spaces
|
From: Robin W. <ro...@di...> - 2014-10-01 12:39:07
|
On 1 October 2014 12:37, Miroslav Stampar <mir...@gm...> wrote: > -u "www.target.com/vuln?string=the" --tamper=space2comment > > bye > > p.s. please don't use any SQLi inside provided parameter values > That fixed it, its been a while since I got SQLi on a job so was not thinking properly. Robin > On Wed, Oct 1, 2014 at 11:17 AM, Robin Wood <ro...@di...nja> wrote: > >> It was pointed out that I should be URL encoding the *s which removes >> that as a problem but it still isn't quite working properly, probably >> because of the spaces. Got limited time on this test so going to leave it >> for now and will build a lab to look at it properly later. >> >> Robin >> >> On 1 October 2014 09:54, Robin Wood <ro...@di...nja> wrote: >> >>> I've got the following vulnerable querystring value: >>> >>> string=the%%22/**/and/**/1=1/**/and/**/%22%%22=%22 >>> >>> Where with 1=1 I get data back, 1=0 is false so no data. >>> >>> I can't use spaces which is why I've have to go for /**/. >>> >>> How do I tell sqlmap where the injection point is and to use /**/ >>> instead of spaces? >>> >>> Robin >>> >> >> >> >> ------------------------------------------------------------------------------ >> Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer >> Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports >> Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper >> Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer >> >> http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/ostg.clktrk >> _______________________________________________ >> sqlmap-users mailing list >> sql...@li... >> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >> >> > > > -- > Miroslav Stampar > http://about.me/stamparm > |
