Re: [sqlmap-users] AMF sqli injection

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

Flex is hard because you have to update the integer that tells flex how
long a string is, unless I am mistaken.

If not, you could try with the * marker to tell sqlmap exactly where the
injection point is.

On Thu, May 28, 2015 at 1:21 PM, Christopher Downs <
chr...@ch...> wrote:

> Good afternoon gents,
> I am a profession penetration tester and have a rather difficult injection
> point for one of my customers.
>
> I can trigger the exception by pausing traffic with burp and inserting
> NULL's into the user | pass via a back end flex call. Is there a way to
> take advantage of sqlmap to inject via flex remoting objects ?
>
> If not I will have to write this myself but I thought I may ask the list
> first.
>
> Thanks.
> Sincerely,
> Christopher M Downs
>
> --
> [image: Description: Chrome]
>
> Chris Downs | System Administrator
>
> main
>
> 888.781.0088
>
> email
>
> *chr...@ch... <chr...@ch...>*
>
> web
>
> www.chromeriver.com
>
>
> ------------------------------------------------------------------------------
>
> _______________________________________________
> sqlmap-users mailing list
> sql...@li...
> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>
>

-- 
http://volatile-minds.blogspot.com -- blog
http://www.volatileminds.net -- website