Re: [sqlmap-users] tamper scripts : is it possible to tamper or just get the method and url ?

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

First, please update to the latest revision.

- now you have a variable "_locals" as a copy of query locals() inside the
--eval. In most cases you'll be able to just read it (e.g. changes to
string objects won't be reflected)
- inside of it there is an entry "method" which if its set to None or "GET"
you are dealing with the GET request, otherwise the method will be set to
something concrete. Take a look at: http://pastebin.com/Vbit2RDt
- also, there is an entry "auxHeaders" where you can put a custom header
value inside of --eval. Take a look at: http://pastebin.com/8qd9gG0J

Bye

p.s. this is a "hack", just to help users in this kind of cases. Please
don't expect anything more to be implemented as I am pretty sure that this
is currently more than enough for your case

On Thu, Sep 17, 2015 at 11:29 AM, Vincent Malguy <vi...@ma...> wrote:

> I think so but how can I access and modify headers in a —eval ?
>
> ./sqlmap.py  -u "http://www.google.com/?id=1" --eval="print(uri) ;
> print(method); print(headers); print(body); »
> [11:24:12] [INFO] testing connection to the target URL
> http://www.google.com:80/  <- uri is good !
> [11:24:12] [CRITICAL] an error occurred while evaluating provided code
> ('name 'method' is not defined’)
>
> headers and body can be accessed neither ?
>
> Regards, Vincent
>
>
> > Le 16 sept. 2015 à 20:43, Brandon Perry <bpe...@gm...> a
> écrit :
> >
> > Could you use --eval for this instead?
> >
> > On Wed, Sep 16, 2015 at 10:17 AM, Vincent Malguy <vi...@ma...>
> wrote:
> > Hi,
> >
> > I am new to tamper scripts and I have to forge some custom headers to
> pass a API authentication.
> > I need to get the http METHOD (get, post …) use by the next sqlmap
> resquest and the exact URL that will be use .
> >
> > For exemple , in this header :
> > [17:06:22] [TRAFFIC OUT] HTTP request [#35]:
> > GET /1.0/iot/app/SQLIHERE HTTP/1.1
> > Accept-language: en-us,en;q=0.5
> > Accept-encoding: identity
> > Pragma: no-cache
> > Cache-control: no-cache,no-store
> > Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
> > User-agent: sqlmap/1.0-dev-c59ead3 (http://sqlmap.org)
> > Accept-charset: ISO-8859-15,utf-8;q=0.7,*;q=0.7
> >
> >
> > I want to be able to get the first line : GET /1.0/iot/app/SQLIHERE
> > From this line , I would be able to parse for the METHOD and get the URI
> that I will *statically* concat with the base URL of the API.
> >
> > So far I have managed to compute the auth header and use sqlmap to test
> the API but I have to update my tamper script for each different endpoint
> (URI).
> >
> > Thanks for your help.
> >
> >
> >
> >
> >
> ------------------------------------------------------------------------------
> > Monitor Your Dynamic Infrastructure at Any Scale With Datadog!
> > Get real-time metrics from all of your servers, apps and tools
> > in one place.
> > SourceForge users - Click here to start your Free Trial of Datadog now!
> > http://pubads.g.doubleclick.net/gampad/clk?id=241902991&iu=/4140
> > _______________________________________________
> > sqlmap-users mailing list
> > sql...@li...
> > https://lists.sourceforge.net/lists/listinfo/sqlmap-users
> >
> >
> >
> >
> > --
> > http://volatile-minds.blogspot.com -- blog
> > http://www.volatileminds.net -- website
>
>
>
> ------------------------------------------------------------------------------
> Monitor Your Dynamic Infrastructure at Any Scale With Datadog!
> Get real-time metrics from all of your servers, apps and tools
> in one place.
> SourceForge users - Click here to start your Free Trial of Datadog now!
> http://pubads.g.doubleclick.net/gampad/clk?id=241902991&iu=/4140
> _______________________________________________
> sqlmap-users mailing list
> sql...@li...
> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>
>

-- 
Miroslav Stampar
http://about.me/stamparm