Re: [sqlmap-users] how to send post request as safeurl
Brought to you by:
inquisb
Menu
▾
▴
Re: [sqlmap-users] how to send post request as safeurl
|
From: Vojtěch P. <kr...@gm...> - 2015-04-22 12:29:58
|
Hi, I tried your new --safe-post and it doesn't seem to fullfill my needs. I need to submit in this url same cookies as in requests for SQL injection etc. Would it be possible to provide something like --safe-request and read request from a file? Thanks, Vojta On 20.4.2015 23:56, Miroslav Stampar wrote: > Done (usage e.g. --safe-url=... --safe-post="foo=bar&..."). > > Bye > > On Mon, Apr 20, 2015 at 10:26 PM, Miroslav Stampar > <mir...@gm... <mailto:mir...@gm...>> wrote: > > Pushing the patch in couple of hours. > > Bye > > On Mon, Apr 20, 2015 at 8:37 PM, Brandon Perry > <bpe...@gm... <mailto:bpe...@gm...>> wrote: > > Ah, good point. Hadn't thought about that. Also, requiring a > POST request does make it difficult. > > On Mon, Apr 20, 2015 at 1:36 PM, Johnathon Doe > <hoo...@gm... <mailto:hoo...@gm...>> wrote: > > I dont think second order option will work as that is > specifiing where to look for injection results, which > might result in your underlying injection failing if the > results are not to be found there. > > There is however options in latest version that appear to > be for just this type of situation (although I personally > haven't used them just yet): > --safe-url=SAFURL URL address to visit frequently > during testing > --safe-freq=SAFREQ Test requests between two visits > to a given safe URL > > I believe this will ensure your session remains active > during scan. > > There is also the options for CSRF tokens to be snagged > and parsed via: > --csrf-token=CSR.. Parameter used to hold anti-CSRF token > --csrf-url=CSRFURL URL address to visit to extract > anti-CSRF token > > In case the csrf token needs to be refreshed for each > injection (when injecting into forms and other typical > POST injections and such). > > On Mon, Apr 20, 2015 at 1:22 PM, Brandon Perry > <bpe...@gm... > <mailto:bpe...@gm...>> wrote: > > However, that being said, I have run into this before > and had to write my own exploits to fully exploit the > vulnerability. > > On Mon, Apr 20, 2015 at 1:21 PM, Brandon Perry > <bpe...@gm... > <mailto:bpe...@gm...>> wrote: > > There is a second order parameter, it could be > used to perform this. It would be requested after > ever injected request were sent. > > On Mon, Apr 20, 2015 at 1:18 PM, Vojtěch Polášek > <kr...@gm... <mailto:kr...@gm...>> wrote: > > Greetings, > I am testing an application which I suspect to > log me out if I don't > send certain post request in certain time > interval. > Is this possible to do with Sqlmap? I know > that there is a parameter > which lets me to run any python code before > every request. But it is not > so nice, let's say. > Is there any possibility to supply a post > request to safeurl? Is there > anything like this planed? > Thank you very much, > Vojta > > ------------------------------------------------------------------------------ > BPM Camp - Free Virtual Workshop May 6th at > 10am PDT/1PM EDT > Develop your own process in accordance with > the BPMN 2 standard > Learn Process modeling best practices with > Bonita BPM through live exercises > http://www.bonitasoft.com/be-part-of-it/events/bpm-camp-virtual- > event?utm_ > source=Sourceforge_BPM_Camp_5_6_15&utm_medium=email&utm_campaign=VA_SF > _______________________________________________ > sqlmap-users mailing list > sql...@li... > <mailto:sql...@li...> > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > > > > > -- > http://volatile-minds.blogspot.com -- blog > http://www.volatileminds.net -- website > > > > > -- > http://volatile-minds.blogspot.com -- blog > http://www.volatileminds.net -- website > > ------------------------------------------------------------------------------ > BPM Camp - Free Virtual Workshop May 6th at 10am > PDT/1PM EDT > Develop your own process in accordance with the BPMN 2 > standard > Learn Process modeling best practices with Bonita BPM > through live exercises > http://www.bonitasoft.com/be-part-of-it/events/bpm-camp-virtual- > event?utm_ > source=Sourceforge_BPM_Camp_5_6_15&utm_medium=email&utm_campaign=VA_SF > _______________________________________________ > sqlmap-users mailing list > sql...@li... > <mailto:sql...@li...> > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > > > > > > -- > http://volatile-minds.blogspot.com -- blog > http://www.volatileminds.net -- website > > ------------------------------------------------------------------------------ > BPM Camp - Free Virtual Workshop May 6th at 10am PDT/1PM EDT > Develop your own process in accordance with the BPMN 2 standard > Learn Process modeling best practices with Bonita BPM through > live exercises > http://www.bonitasoft.com/be-part-of-it/events/bpm-camp-virtual- > event?utm_ > source=Sourceforge_BPM_Camp_5_6_15&utm_medium=email&utm_campaign=VA_SF > _______________________________________________ > sqlmap-users mailing list > sql...@li... > <mailto:sql...@li...> > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > > > > > -- > Miroslav Stampar > http://about.me/stamparm > > > > > -- > Miroslav Stampar > http://about.me/stamparm > > > ------------------------------------------------------------------------------ > BPM Camp - Free Virtual Workshop May 6th at 10am PDT/1PM EDT > Develop your own process in accordance with the BPMN 2 standard > Learn Process modeling best practices with Bonita BPM through live exercises > http://www.bonitasoft.com/be-part-of-it/events/bpm-camp-virtual- event?utm_ > source=Sourceforge_BPM_Camp_5_6_15&utm_medium=email&utm_campaign=VA_SF > > > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users |
