Re: [sqlmap-users] --skip-urlencode forcing content type to text/plain

[Brandon P. <bpe...@gm...>]

The actual request is a SOAP payload, which requires a content type of XML,
and no URL encoding (which, if performed, returns a 50x).

On Mon, Oct 19, 2015 at 6:37 AM, Miroslav Stampar <
mir...@gm...> wrote:

> Hi Brandon.
>
> Sorry for late reply. It goes like this.
>
> Your header value for content-type should be propagated/used, even in this
> case, in all cases THAN one.
>
> If you use --skip-urlencode and you (or your request file) state that the
> content-type should be "urlencoded" sqlmap forces switch to either the
> "recognized" (e.g. json, xml,...) or the "plain". So, that line that you've
> pinpointed will be triggered only in described situation.
>
> Can you please describe what are you trying to accomplish? I believe that
> you are trying to leave some parts (non-payload) url encoded, while you
> want payload to not be url encoded.
>
> Bye
>
> On Sun, Oct 18, 2015 at 11:35 AM, Miroslav Stampar <
> mir...@gm...> wrote:
>
>> Will patch it later today.
>>
>> Bye
>> On Oct 17, 2015 04:32, "Brandon Perry" <bpe...@gm...> wrote:
>>
>>> I tracked it down to ./lib/request/connect.py, line 726.
>>>
>>> contentType = POST_HINT_CONTENT_TYPES.get(kb.postHint,
>>> PLAIN_TEXT_CONTENT_TYPE)
>>>
>>> I am specifying a content type explicitly with —headers, so commenting
>>> this line out allowed sqlmap to detect the injections (the server returns
>>> 50x if the content type isn't right).
>>>
>>> Not sure what the correct solution is to this, as I understand the
>>> intent. Would this be more useful as a github issue?
>>>
>>> ------------------------------------------------------------------------------
>>> _______________________________________________
>>> sqlmap-users mailing list
>>> sql...@li...
>>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>>>
>>
>
>
> --
> Miroslav Stampar
> http://about.me/stamparm
>



-- 
http://volatile-minds.blogspot.com -- blog
http://www.volatileminds.net -- website