Re: [sqlmap-users] See list of all payloads inserted by SQLMap
Brought to you by:
inquisb
From: Miroslav S. <mir...@gm...> - 2016-01-20 13:39:57
|
You can take a look into xml/payloads/*.xml and xml/boundaries.xml for testing phase payloads You can take a look into lib/controller/checks.py for testing phase generation of payloads You can take a look into xml/boundaries.xml and xml/queries.xml for exploitation phase payloads You can take a look into plugins/*.py and lib/core/agent.py for exploitation phase payloads Bye p.s. each DBMS has its own payloads. Practically, two same MySQL platforms (with same vulnerability) should generate pretty similar payloads. But, if one MySQL platform is vulnerable to boolean SQLi and the other to UNION SQLi you can't expect same payloads On Wed, Jan 20, 2016 at 2:33 PM, Mithun Vaidhyanathan < mit...@ow...> wrote: > Hi Miroslav, > > The situation is that I can't rerun or hit the system again for a couple > of days due to a business issue. In the meanwhile, I need to extract all > payloads injected from the scan that I already ran today. If I cannot see > payloads from the exploit phase, can you please point me to the logic in > the code where these payloads are generated? I saw a few xml files under > the payloads folder, and along with these xml files and the code, I can try > to reverse engineer and probably regenerate those payloads again. I am > assuming that the same payloads are generated in every scan for a given > database type (say Oracle)? > > Thanks, > Mithun > On Jan 20, 2016 6:19 PM, "Miroslav Stampar" <mir...@gm...> > wrote: > >> You can see all testing payloads by rerunning with -v 3. >> >> You can't see payloads that sqlmap generated during the exploitation >> phase. Results of those payloads are stored inside the appropriate >> session.sqlite, but with hashed queries/payloads. Without doing this >> session files would explode in case of huge table dumps. >> >> Bye >> >> On Wed, Jan 20, 2016 at 1:04 PM, Mithun Vaidhyanathan < >> mit...@ow...> wrote: >> >>> Hello Everyone, >>> >>> I need to retrieve all payloads inserted by SQLMap into vulnerable >>> parameters. Is it possible? >>> >>> Right now, in my output directory, I can see a log file with only one >>> payload example. Does the tool store all payloads that it injects? How can >>> I pull out this information? >>> >>> Thanks, >>> Mithun >>> >>> >>> ------------------------------------------------------------------------------ >>> Site24x7 APM Insight: Get Deep Visibility into Application Performance >>> APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month >>> Monitor end-to-end web transactions and take corrective actions now >>> Troubleshoot faster and improve end-user experience. Signup Now! >>> http://pubads.g.doubleclick.net/gampad/clk?id=267308311&iu=/4140 >>> _______________________________________________ >>> sqlmap-users mailing list >>> sql...@li... >>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >>> >>> >> >> >> -- >> Miroslav Stampar >> http://about.me/stamparm >> > -- Miroslav Stampar http://about.me/stamparm |