Re: [sqlmap-users] --skip-urlencode forcing content type to text/plain
Brought to you by:
inquisb
Menu
▾
▴
Re: [sqlmap-users] --skip-urlencode forcing content type to text/plain
|
From: Brandon P. <bpe...@gm...> - 2015-10-19 17:05:51
|
Just curious, how do you expect a user to set a specific content type? Is there are argument I am missing, or is --headers the expected way? On Mon, Oct 19, 2015 at 9:41 AM, Miroslav Stampar < mir...@gm...> wrote: > I really can't enforce this behavior. Waiting for your sample. > > Bye > > On Mon, Oct 19, 2015 at 4:04 PM, Brandon Perry <bpe...@gm...> > wrote: > >> Yes, I can, but it will have to be when I get home this evening. >> >> FWIW, I am interacting with the sqlmap API, so not passing it a request >> file. I am building the SOAP XML programmatically, then setting it as the >> 'data' in the options (along with headers to specify text/xml and >> SOAPAction), with skipUrlEncode. >> >> On Mon, Oct 19, 2015 at 9:02 AM, Miroslav Stampar < >> mir...@gm...> wrote: >> >>> Hi. >>> >>> But sqlmap should automatically skip the url encoding of such request >>> bodies if the content-type has been set to the proper value from start (or >>> if there was no content-type from the beginning). >>> >>> Can you please send a sample request file and/or used sqlmap options. >>> >>> Bye >>> >>> On Mon, Oct 19, 2015 at 4:00 PM, Brandon Perry < >>> bpe...@gm...> wrote: >>> >>>> The actual request is a SOAP payload, which requires a content type of >>>> XML, and no URL encoding (which, if performed, returns a 50x). >>>> >>>> On Mon, Oct 19, 2015 at 6:37 AM, Miroslav Stampar < >>>> mir...@gm...> wrote: >>>> >>>>> Hi Brandon. >>>>> >>>>> Sorry for late reply. It goes like this. >>>>> >>>>> Your header value for content-type should be propagated/used, even in >>>>> this case, in all cases THAN one. >>>>> >>>>> If you use --skip-urlencode and you (or your request file) state that >>>>> the content-type should be "urlencoded" sqlmap forces switch to either the >>>>> "recognized" (e.g. json, xml,...) or the "plain". So, that line that you've >>>>> pinpointed will be triggered only in described situation. >>>>> >>>>> Can you please describe what are you trying to accomplish? I believe >>>>> that you are trying to leave some parts (non-payload) url encoded, while >>>>> you want payload to not be url encoded. >>>>> >>>>> Bye >>>>> >>>>> On Sun, Oct 18, 2015 at 11:35 AM, Miroslav Stampar < >>>>> mir...@gm...> wrote: >>>>> >>>>>> Will patch it later today. >>>>>> >>>>>> Bye >>>>>> On Oct 17, 2015 04:32, "Brandon Perry" <bpe...@gm...> >>>>>> wrote: >>>>>> >>>>>>> I tracked it down to ./lib/request/connect.py, line 726. >>>>>>> >>>>>>> contentType = POST_HINT_CONTENT_TYPES.get(kb.postHint, >>>>>>> PLAIN_TEXT_CONTENT_TYPE) >>>>>>> >>>>>>> I am specifying a content type explicitly with —headers, so >>>>>>> commenting this line out allowed sqlmap to detect the injections (the >>>>>>> server returns 50x if the content type isn't right). >>>>>>> >>>>>>> Not sure what the correct solution is to this, as I understand the >>>>>>> intent. Would this be more useful as a github issue? >>>>>>> >>>>>>> ------------------------------------------------------------------------------ >>>>>>> _______________________________________________ >>>>>>> sqlmap-users mailing list >>>>>>> sql...@li... >>>>>>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >>>>>>> >>>>>> >>>>> >>>>> >>>>> -- >>>>> Miroslav Stampar >>>>> http://about.me/stamparm >>>>> >>>> >>>> >>>> >>>> -- >>>> http://volatile-minds.blogspot.com -- blog >>>> http://www.volatileminds.net -- website >>>> >>> >>> >>> >>> -- >>> Miroslav Stampar >>> http://about.me/stamparm >>> >> >> >> >> -- >> http://volatile-minds.blogspot.com -- blog >> http://www.volatileminds.net -- website >> > > > > -- > Miroslav Stampar > http://about.me/stamparm > -- http://volatile-minds.blogspot.com -- blog http://www.volatileminds.net -- website |
