Re: [sqlmap-users] --skip-urlencode forcing content type to text/plain

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

Hi.

But sqlmap should automatically skip the url encoding of such request
bodies if the content-type has been set to the proper value from start (or
if there was no content-type from the beginning).

Can you please send a sample request file and/or used sqlmap options.

Bye

On Mon, Oct 19, 2015 at 4:00 PM, Brandon Perry <bpe...@gm...>
wrote:

> The actual request is a SOAP payload, which requires a content type of
> XML, and no URL encoding (which, if performed, returns a 50x).
>
> On Mon, Oct 19, 2015 at 6:37 AM, Miroslav Stampar <
> mir...@gm...> wrote:
>
>> Hi Brandon.
>>
>> Sorry for late reply. It goes like this.
>>
>> Your header value for content-type should be propagated/used, even in
>> this case, in all cases THAN one.
>>
>> If you use --skip-urlencode and you (or your request file) state that the
>> content-type should be "urlencoded" sqlmap forces switch to either the
>> "recognized" (e.g. json, xml,...) or the "plain". So, that line that you've
>> pinpointed will be triggered only in described situation.
>>
>> Can you please describe what are you trying to accomplish? I believe that
>> you are trying to leave some parts (non-payload) url encoded, while you
>> want payload to not be url encoded.
>>
>> Bye
>>
>> On Sun, Oct 18, 2015 at 11:35 AM, Miroslav Stampar <
>> mir...@gm...> wrote:
>>
>>> Will patch it later today.
>>>
>>> Bye
>>> On Oct 17, 2015 04:32, "Brandon Perry" <bpe...@gm...>
>>> wrote:
>>>
>>>> I tracked it down to ./lib/request/connect.py, line 726.
>>>>
>>>> contentType = POST_HINT_CONTENT_TYPES.get(kb.postHint,
>>>> PLAIN_TEXT_CONTENT_TYPE)
>>>>
>>>> I am specifying a content type explicitly with —headers, so commenting
>>>> this line out allowed sqlmap to detect the injections (the server returns
>>>> 50x if the content type isn't right).
>>>>
>>>> Not sure what the correct solution is to this, as I understand the
>>>> intent. Would this be more useful as a github issue?
>>>>
>>>> ------------------------------------------------------------------------------
>>>> _______________________________________________
>>>> sqlmap-users mailing list
>>>> sql...@li...
>>>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>>>>
>>>
>>
>>
>> --
>> Miroslav Stampar
>> http://about.me/stamparm
>>
>
>
>
> --
> http://volatile-minds.blogspot.com -- blog
> http://www.volatileminds.net -- website
>

-- 
Miroslav Stampar
http://about.me/stamparm