Re: [sqlmap-users] --skip-urlencode forcing content type to text/plain
Brought to you by:
inquisb
Menu
▾
▴
Re: [sqlmap-users] --skip-urlencode forcing content type to text/plain
|
From: Brandon P. <bpe...@gm...> - 2015-10-20 01:08:17
|
I am magically unable to reproduce this at the moment. If I end up seeing the behavior again, I will get more information to reproduce with. However, I did realize that I no longer actually need —skip-urlencode. At some point between when I last touched this code and now, POST request bodies are no longer URL encoded. In any case, sorry for the noise. > On Oct 19, 2015, at 12:08 PM, Miroslav Stampar <mir...@gm...> wrote: > > Either through request file or headers. Otherwise, sqlmap automatically sets it based on recognized type (e.g. application/json for JSON) > > Bye > > On Oct 19, 2015 7:05 PM, "Brandon Perry" <bpe...@gm... <mailto:bpe...@gm...>> wrote: > Just curious, how do you expect a user to set a specific content type? Is there are argument I am missing, or is --headers the expected way? > > On Mon, Oct 19, 2015 at 9:41 AM, Miroslav Stampar <mir...@gm... <mailto:mir...@gm...>> wrote: > I really can't enforce this behavior. Waiting for your sample. > > Bye > > On Mon, Oct 19, 2015 at 4:04 PM, Brandon Perry <bpe...@gm... <mailto:bpe...@gm...>> wrote: > Yes, I can, but it will have to be when I get home this evening. > > FWIW, I am interacting with the sqlmap API, so not passing it a request file. I am building the SOAP XML programmatically, then setting it as the 'data' in the options (along with headers to specify text/xml and SOAPAction), with skipUrlEncode. > > On Mon, Oct 19, 2015 at 9:02 AM, Miroslav Stampar <mir...@gm... <mailto:mir...@gm...>> wrote: > Hi. > > But sqlmap should automatically skip the url encoding of such request bodies if the content-type has been set to the proper value from start (or if there was no content-type from the beginning). > > Can you please send a sample request file and/or used sqlmap options. > > Bye > > On Mon, Oct 19, 2015 at 4:00 PM, Brandon Perry <bpe...@gm... <mailto:bpe...@gm...>> wrote: > The actual request is a SOAP payload, which requires a content type of XML, and no URL encoding (which, if performed, returns a 50x). > > On Mon, Oct 19, 2015 at 6:37 AM, Miroslav Stampar <mir...@gm... <mailto:mir...@gm...>> wrote: > Hi Brandon. > > Sorry for late reply. It goes like this. > > Your header value for content-type should be propagated/used, even in this case, in all cases THAN one. > > If you use --skip-urlencode and you (or your request file) state that the content-type should be "urlencoded" sqlmap forces switch to either the "recognized" (e.g. json, xml,...) or the "plain". So, that line that you've pinpointed will be triggered only in described situation. > > Can you please describe what are you trying to accomplish? I believe that you are trying to leave some parts (non-payload) url encoded, while you want payload to not be url encoded. > > Bye > > On Sun, Oct 18, 2015 at 11:35 AM, Miroslav Stampar <mir...@gm... <mailto:mir...@gm...>> wrote: > Will patch it later today. > > Bye > > On Oct 17, 2015 04:32, "Brandon Perry" <bpe...@gm... <mailto:bpe...@gm...>> wrote: > I tracked it down to ./lib/request/connect.py, line 726. > > contentType = POST_HINT_CONTENT_TYPES.get(kb.postHint, PLAIN_TEXT_CONTENT_TYPE) > > I am specifying a content type explicitly with —headers, so commenting this line out allowed sqlmap to detect the injections (the server returns 50x if the content type isn't right). > > Not sure what the correct solution is to this, as I understand the intent. Would this be more useful as a github issue? > ------------------------------------------------------------------------------ > _______________________________________________ > sqlmap-users mailing list > sql...@li... <mailto:sql...@li...> > https://lists.sourceforge.net/lists/listinfo/sqlmap-users <https://lists.sourceforge.net/lists/listinfo/sqlmap-users> > > > > -- > Miroslav Stampar > http://about.me/stamparm <http://about.me/stamparm> > > > -- > http://volatile-minds.blogspot.com <http://volatile-minds.blogspot.com/> -- blog > http://www.volatileminds.net <http://www.volatileminds.net/> -- website > > > > -- > Miroslav Stampar > http://about.me/stamparm <http://about.me/stamparm> > > > -- > http://volatile-minds.blogspot.com <http://volatile-minds.blogspot.com/> -- blog > http://www.volatileminds.net <http://www.volatileminds.net/> -- website > > > > -- > Miroslav Stampar > http://about.me/stamparm <http://about.me/stamparm> > > > -- > http://volatile-minds.blogspot.com <http://volatile-minds.blogspot.com/> -- blog > http://www.volatileminds.net <http://www.volatileminds.net/> -- website |
