Re: [sqlmap-users] AMF sqli injection
Brought to you by:
inquisb
Menu
▾
▴
Re: [sqlmap-users] AMF sqli injection
|
From: Chris O. <chr...@gm...> - 2015-05-28 19:24:44
|
"Flex is hard because you have to update the integer that tells flex how long a string is" It might be possible to address this with the --eval option On 28 May 2015 at 14:59, Brandon Perry <bpe...@gm...> wrote: > Flex is hard because you have to update the integer that tells flex how > long a string is, unless I am mistaken. > > If not, you could try with the * marker to tell sqlmap exactly where the > injection point is. > > On Thu, May 28, 2015 at 1:21 PM, Christopher Downs < > chr...@ch...> wrote: > >> Good afternoon gents, >> I am a profession penetration tester and have a rather difficult >> injection point for one of my customers. >> >> I can trigger the exception by pausing traffic with burp and inserting >> NULL's into the user | pass via a back end flex call. Is there a way to >> take advantage of sqlmap to inject via flex remoting objects ? >> >> If not I will have to write this myself but I thought I may ask the list >> first. >> >> Thanks. >> Sincerely, >> Christopher M Downs >> >> -- >> [image: Description: Chrome] >> >> Chris Downs | System Administrator >> >> main >> >> 888.781.0088 >> >> email >> >> *chr...@ch... <chr...@ch...>* >> >> web >> >> www.chromeriver.com >> >> >> ------------------------------------------------------------------------------ >> >> _______________________________________________ >> sqlmap-users mailing list >> sql...@li... >> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >> >> > > > -- > http://volatile-minds.blogspot.com -- blog > http://www.volatileminds.net -- website > > > ------------------------------------------------------------------------------ > > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > > |
