Re: [sqlmap-users] how to send post request as safeurl
Brought to you by:
inquisb
Menu
▾
▴
Re: [sqlmap-users] how to send post request as safeurl
|
From: Miroslav S. <mir...@gm...> - 2015-04-22 14:29:40
|
Please update to the latest revision and use: --safe-req=...req.txt --safe-freq=... Bye On Wed, Apr 22, 2015 at 3:08 PM, Vojtěch Polášek <kr...@gm...> wrote: > Well, so if I understand it right. Currently, --safe-url receives the URL > to which the post request is going to be sent. > --safe-post receives *only* POST data, no HTTP headers etc. > There is no possibility to send some specific cookies or other HTTP > headers currently with this safe thing. Am I right? > Thanks for clarification. I am sorry if my description of problem wasn't > exact enough. > Vojta > > On 22.4.2015 14:52, Miroslav Stampar wrote: > > I'll just repeat a sentence from your original message: > > "Is there any possibility to supply a post request to safeurl?" > > Bye > > On Wed, Apr 22, 2015 at 2:29 PM, Vojtěch Polášek <kr...@gm...> > wrote: > >> Hi, >> I tried your new --safe-post and it doesn't seem to fullfill my needs. I >> need to submit in this url same cookies as in requests for SQL injection >> etc. Would it be possible to provide something like --safe-request and read >> request from a file? >> Thanks, >> Vojta >> >> >> On 20.4.2015 23:56, Miroslav Stampar wrote: >> >> Done (usage e.g. --safe-url=... --safe-post="foo=bar&..."). >> >> Bye >> >> On Mon, Apr 20, 2015 at 10:26 PM, Miroslav Stampar < >> mir...@gm...> wrote: >> >>> Pushing the patch in couple of hours. >>> >>> Bye >>> >>> On Mon, Apr 20, 2015 at 8:37 PM, Brandon Perry < >>> bpe...@gm...> wrote: >>> >>>> Ah, good point. Hadn't thought about that. Also, requiring a POST >>>> request does make it difficult. >>>> >>>> On Mon, Apr 20, 2015 at 1:36 PM, Johnathon Doe <hoo...@gm...> >>>> wrote: >>>> >>>>> I dont think second order option will work as that is specifiing >>>>> where to look for injection results, which might result in your underlying >>>>> injection failing if the results are not to be found there. >>>>> >>>>> There is however options in latest version that appear to be for just >>>>> this type of situation (although I personally haven't used them just yet): >>>>> --safe-url=SAFURL URL address to visit frequently during testing >>>>> --safe-freq=SAFREQ Test requests between two visits to a given >>>>> safe URL >>>>> >>>>> I believe this will ensure your session remains active during scan. >>>>> >>>>> There is also the options for CSRF tokens to be snagged and parsed via: >>>>> --csrf-token=CSR.. Parameter used to hold anti-CSRF token >>>>> --csrf-url=CSRFURL URL address to visit to extract anti-CSRF token >>>>> >>>>> In case the csrf token needs to be refreshed for each injection (when >>>>> injecting into forms and other typical POST injections and such). >>>>> >>>>> On Mon, Apr 20, 2015 at 1:22 PM, Brandon Perry < >>>>> bpe...@gm...> wrote: >>>>> >>>>>> However, that being said, I have run into this before and had to >>>>>> write my own exploits to fully exploit the vulnerability. >>>>>> >>>>>> On Mon, Apr 20, 2015 at 1:21 PM, Brandon Perry < >>>>>> bpe...@gm...> wrote: >>>>>> >>>>>>> There is a second order parameter, it could be used to perform this. >>>>>>> It would be requested after ever injected request were sent. >>>>>>> >>>>>>> On Mon, Apr 20, 2015 at 1:18 PM, Vojtěch Polášek <kr...@gm...> >>>>>>> wrote: >>>>>>> >>>>>>>> Greetings, >>>>>>>> I am testing an application which I suspect to log me out if I don't >>>>>>>> send certain post request in certain time interval. >>>>>>>> Is this possible to do with Sqlmap? I know that there is a parameter >>>>>>>> which lets me to run any python code before every request. But it >>>>>>>> is not >>>>>>>> so nice, let's say. >>>>>>>> Is there any possibility to supply a post request to safeurl? Is >>>>>>>> there >>>>>>>> anything like this planed? >>>>>>>> Thank you very much, >>>>>>>> Vojta >>>>>>>> >>>>>>>> >>>>>>>> ------------------------------------------------------------------------------ >>>>>>>> BPM Camp - Free Virtual Workshop May 6th at 10am PDT/1PM EDT >>>>>>>> Develop your own process in accordance with the BPMN 2 standard >>>>>>>> Learn Process modeling best practices with Bonita BPM through live >>>>>>>> exercises >>>>>>>> http://www.bonitasoft.com/be-part-of-it/events/bpm-camp-virtual- >>>>>>>> event?utm_ >>>>>>>> >>>>>>>> source=Sourceforge_BPM_Camp_5_6_15&utm_medium=email&utm_campaign=VA_SF >>>>>>>> _______________________________________________ >>>>>>>> sqlmap-users mailing list >>>>>>>> sql...@li... >>>>>>>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >>>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> -- >>>>>>> http://volatile-minds.blogspot.com -- blog >>>>>>> http://www.volatileminds.net -- website >>>>>>> >>>>>> >>>>>> >>>>>> >>>>>> -- >>>>>> http://volatile-minds.blogspot.com -- blog >>>>>> http://www.volatileminds.net -- website >>>>>> >>>>>> >>>>>> ------------------------------------------------------------------------------ >>>>>> BPM Camp - Free Virtual Workshop May 6th at 10am PDT/1PM EDT >>>>>> Develop your own process in accordance with the BPMN 2 standard >>>>>> Learn Process modeling best practices with Bonita BPM through live >>>>>> exercises >>>>>> http://www.bonitasoft.com/be-part-of-it/events/bpm-camp-virtual- >>>>>> event?utm_ >>>>>> source=Sourceforge_BPM_Camp_5_6_15&utm_medium=email&utm_campaign=VA_SF >>>>>> _______________________________________________ >>>>>> sqlmap-users mailing list >>>>>> sql...@li... >>>>>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >>>>>> >>>>>> >>>>> >>>> >>>> >>>> -- >>>> http://volatile-minds.blogspot.com -- blog >>>> http://www.volatileminds.net -- website >>>> >>>> >>>> ------------------------------------------------------------------------------ >>>> BPM Camp - Free Virtual Workshop May 6th at 10am PDT/1PM EDT >>>> Develop your own process in accordance with the BPMN 2 standard >>>> Learn Process modeling best practices with Bonita BPM through live >>>> exercises >>>> http://www.bonitasoft.com/be-part-of-it/events/bpm-camp-virtual- >>>> event?utm_ >>>> source=Sourceforge_BPM_Camp_5_6_15&utm_medium=email&utm_campaign=VA_SF >>>> _______________________________________________ >>>> sqlmap-users mailing list >>>> sql...@li... >>>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >>>> >>>> >>> >>> >>> -- >>> Miroslav Stampar >>> http://about.me/stamparm >>> >> >> >> >> -- >> Miroslav Stampar >> http://about.me/stamparm >> >> >> ------------------------------------------------------------------------------ >> BPM Camp - Free Virtual Workshop May 6th at 10am PDT/1PM EDT >> Develop your own process in accordance with the BPMN 2 standard >> Learn Process modeling best practices with Bonita BPM through live exerciseshttp://www.bonitasoft.com/be-part-of-it/events/bpm-camp-virtual- event?utm_ >> source=Sourceforge_BPM_Camp_5_6_15&utm_medium=email&utm_campaign=VA_SF >> >> >> >> _______________________________________________ >> sqlmap-users mailing lis...@li...https://lists.sourceforge.net/lists/listinfo/sqlmap-users >> >> >> >> >> ------------------------------------------------------------------------------ >> BPM Camp - Free Virtual Workshop May 6th at 10am PDT/1PM EDT >> Develop your own process in accordance with the BPMN 2 standard >> Learn Process modeling best practices with Bonita BPM through live >> exercises >> http://www.bonitasoft.com/be-part-of-it/events/bpm-camp-virtual- >> event?utm_ >> source=Sourceforge_BPM_Camp_5_6_15&utm_medium=email&utm_campaign=VA_SF >> _______________________________________________ >> sqlmap-users mailing list >> sql...@li... >> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >> >> > > > -- > Miroslav Stampar > http://about.me/stamparm > > > > > ------------------------------------------------------------------------------ > BPM Camp - Free Virtual Workshop May 6th at 10am PDT/1PM EDT > Develop your own process in accordance with the BPMN 2 standard > Learn Process modeling best practices with Bonita BPM through live > exercises > http://www.bonitasoft.com/be-part-of-it/events/bpm-camp-virtual- > event?utm_ > source=Sourceforge_BPM_Camp_5_6_15&utm_medium=email&utm_campaign=VA_SF > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > > -- Miroslav Stampar http://about.me/stamparm |
