Re: [sqlmap-users] tamper scripts : is it possible to tamper or just get the method and url ?

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

Could you use --eval for this instead?

On Wed, Sep 16, 2015 at 10:17 AM, Vincent Malguy <vi...@ma...> wrote:

> Hi,
>
> I am new to tamper scripts and I have to forge some custom headers to pass
> a API authentication.
> I need to get the http METHOD (get, post …) use by the next sqlmap
> resquest and the exact URL that will be use .
>
> For exemple , in this header :
> [17:06:22] [TRAFFIC OUT] HTTP request [#35]:
> GET /1.0/iot/app/SQLIHERE HTTP/1.1
> Accept-language: en-us,en;q=0.5
> Accept-encoding: identity
> Pragma: no-cache
> Cache-control: no-cache,no-store
> Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
> User-agent: sqlmap/1.0-dev-c59ead3 (http://sqlmap.org)
> Accept-charset: ISO-8859-15,utf-8;q=0.7,*;q=0.7
>
>
> I want to be able to get the first line : GET /1.0/iot/app/SQLIHERE
> From this line , I would be able to parse for the METHOD and get the URI
> that I will *statically* concat with the base URL of the API.
>
> So far I have managed to compute the auth header and use sqlmap to test
> the API but I have to update my tamper script for each different endpoint
> (URI).
>
> Thanks for your help.
>
>
>
>
>
> ------------------------------------------------------------------------------
> Monitor Your Dynamic Infrastructure at Any Scale With Datadog!
> Get real-time metrics from all of your servers, apps and tools
> in one place.
> SourceForge users - Click here to start your Free Trial of Datadog now!
> http://pubads.g.doubleclick.net/gampad/clk?id=241902991&iu=/4140
> _______________________________________________
> sqlmap-users mailing list
> sql...@li...
> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>
>

-- 
http://volatile-minds.blogspot.com -- blog
http://www.volatileminds.net -- website