Thread: [sqlmap-users] Problem/confusion with wildcard in url

Brought to you by: inquisb

sqlmap-users

[sqlmap-users] Problem/confusion with wildcard in url

From: Gianluca B. <g...@br...> - 2012-01-05 14:18:57

Hello,
if I provide an URL with * like this:
http://target.com/path/to/index.php?id=12*&action=add&path=/path/to/&imgIndex=

sqlmap don't recognize valid get param in the urls:

[15:34:23] [WARNING] you've provided target url without any GET parameters
(e.g. www.site.com/article.php?id=1) and without providing any POST
parameters through --data option
do you want to try URI injections in the target url itself? [Y/n/q]

But looks like it inject correctly where I placed the wildcard.

Instead without * everything is working fine as usual.
So I am not sure if it's this some sort of bug or it's me misusing the *
option (i.e. if the url is not rewrote I should just use -p id).

Thanks,
Gianluca Brindisi

Re: [sqlmap-users] Problem/confusion with wildcard in url

From: Chris O. <chr...@gm...> - 2012-01-05 14:46:32

-p will definitely work, no need for * when it's not rewritten URLs.  Not
sure if that counts as a bug therefore... so in the meantime, just use -p

Chris

On 5 January 2012 13:53, Gianluca Brindisi <g...@br...> wrote:

> Hello,
> if I provide an URL with * like this:
>
> http://target.com/path/to/index.php?id=12*&action=add&path=/path/to/&imgIndex=
>
> sqlmap don't recognize valid get param in the urls:
>
> [15:34:23] [WARNING] you've provided target url without any GET parameters
> (e.g. www.site.com/article.php?id=1) and without providing any POST
> parameters through --data option
> do you want to try URI injections in the target url itself? [Y/n/q]
>
> But looks like it inject correctly where I placed the wildcard.
>
> Instead without * everything is working fine as usual.
> So I am not sure if it's this some sort of bug or it's me misusing the *
> option (i.e. if the url is not rewrote I should just use -p id).
>
> Thanks,
> Gianluca Brindisi
>
>
>
> ------------------------------------------------------------------------------
> Ridiculously easy VDI. With Citrix VDI-in-a-Box, you don't need a complex
> infrastructure or vast IT resources to deliver seamless, secure access to
> virtual desktops. With this all-in-one solution, easily deploy virtual
> desktops for less than the cost of PCs and save 60% on VDI infrastructure
> costs. Try it free! http://p.sf.net/sfu/Citrix-VDIinabox
> _______________________________________________
> sqlmap-users mailing list
> sql...@li...
> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>
>

Re: [sqlmap-users] Problem/confusion with wildcard in url

From: Bernardo D. A. G. <ber...@gm...> - 2012-01-05 18:05:35

It does not count as a bug. That's the expected behaviour.

Bernardo Damele A. G.

This message was sent from a smartphone

On 5 Jan 2012, at 14:46, Chris Oakley <chr...@gm...> wrote:

-p will definitely work, no need for * when it's not rewritten URLs.  Not
sure if that counts as a bug therefore... so in the meantime, just use -p

Chris

On 5 January 2012 13:53, Gianluca Brindisi <g...@br...> wrote:

> Hello,
> if I provide an URL with * like this:
>
> http://target.com/path/to/index.php?id=12*&action=add&path=/path/to/&imgIndex=
>
> sqlmap don't recognize valid get param in the urls:
>
> [15:34:23] [WARNING] you've provided target url without any GET parameters
> (e.g. www.site.com/article.php?id=1) and without providing any POST
> parameters through --data option
> do you want to try URI injections in the target url itself? [Y/n/q]
>
> But looks like it inject correctly where I placed the wildcard.
>
> Instead without * everything is working fine as usual.
> So I am not sure if it's this some sort of bug or it's me misusing the *
> option (i.e. if the url is not rewrote I should just use -p id).
>
> Thanks,
> Gianluca Brindisi
>
>
>
> ------------------------------------------------------------------------------
> Ridiculously easy VDI. With Citrix VDI-in-a-Box, you don't need a complex
> infrastructure or vast IT resources to deliver seamless, secure access to
> virtual desktops. With this all-in-one solution, easily deploy virtual
> desktops for less than the cost of PCs and save 60% on VDI infrastructure
> costs. Try it free! http://p.sf.net/sfu/Citrix-VDIinabox
> _______________________________________________
> sqlmap-users mailing list
> sql...@li...
> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>
>
------------------------------------------------------------------------------
Ridiculously easy VDI. With Citrix VDI-in-a-Box, you don't need a complex
infrastructure or vast IT resources to deliver seamless, secure access to
virtual desktops. With this all-in-one solution, easily deploy virtual
desktops for less than the cost of PCs and save 60% on VDI infrastructure
costs. Try it free! http://p.sf.net/sfu/Citrix-VDIinabox

_______________________________________________
sqlmap-users mailing list
sql...@li...
https://lists.sourceforge.net/lists/listinfo/sqlmap-users

Re: [sqlmap-users] Problem/confusion with wildcard in url

From: Miroslav S. <mir...@gm...> - 2012-01-05 23:54:13

Hi Gianluca.

There was indeed a minor "glitch" regarding your case. Find it "patched"
with the latest commit (r4653).

Kind regards,
Miroslav Stampar

On Thu, Jan 5, 2012 at 2:53 PM, Gianluca Brindisi <g...@br...> wrote:

> Hello,
> if I provide an URL with * like this:
>
> http://target.com/path/to/index.php?id=12*&action=add&path=/path/to/&imgIndex=
>
> sqlmap don't recognize valid get param in the urls:
>
> [15:34:23] [WARNING] you've provided target url without any GET parameters
> (e.g. www.site.com/article.php?id=1) and without providing any POST
> parameters through --data option
> do you want to try URI injections in the target url itself? [Y/n/q]
>
> But looks like it inject correctly where I placed the wildcard.
>
> Instead without * everything is working fine as usual.
> So I am not sure if it's this some sort of bug or it's me misusing the *
> option (i.e. if the url is not rewrote I should just use -p id).
>
> Thanks,
> Gianluca Brindisi
>
>
>
> ------------------------------------------------------------------------------
> Ridiculously easy VDI. With Citrix VDI-in-a-Box, you don't need a complex
> infrastructure or vast IT resources to deliver seamless, secure access to
> virtual desktops. With this all-in-one solution, easily deploy virtual
> desktops for less than the cost of PCs and save 60% on VDI infrastructure
> costs. Try it free! http://p.sf.net/sfu/Citrix-VDIinabox
> _______________________________________________
> sqlmap-users mailing list
> sql...@li...
> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>
>


-- 
Miroslav Stampar
http://about.me/stamparm

Re: [sqlmap-users] Problem/confusion with wildcard in url

From: Gianluca B. <g...@br...> - 2012-01-06 00:25:51

Thanks guys!
Il giorno 06/gen/2012 00:54, "Miroslav Stampar" <mir...@gm...>
ha scritto:

> Hi Gianluca.
>
> There was indeed a minor "glitch" regarding your case. Find it "patched"
> with the latest commit (r4653).
>
> Kind regards,
> Miroslav Stampar
>
> On Thu, Jan 5, 2012 at 2:53 PM, Gianluca Brindisi <g...@br...> wrote:
>
>> Hello,
>> if I provide an URL with * like this:
>>
>> http://target.com/path/to/index.php?id=12*&action=add&path=/path/to/&imgIndex=
>>
>> sqlmap don't recognize valid get param in the urls:
>>
>> [15:34:23] [WARNING] you've provided target url without any GET
>> parameters (e.g. www.site.com/article.php?id=1) and without providing
>> any POST parameters through --data option
>> do you want to try URI injections in the target url itself? [Y/n/q]
>>
>> But looks like it inject correctly where I placed the wildcard.
>>
>> Instead without * everything is working fine as usual.
>> So I am not sure if it's this some sort of bug or it's me misusing the *
>> option (i.e. if the url is not rewrote I should just use -p id).
>>
>> Thanks,
>> Gianluca Brindisi
>>
>>
>>
>> ------------------------------------------------------------------------------
>> Ridiculously easy VDI. With Citrix VDI-in-a-Box, you don't need a complex
>> infrastructure or vast IT resources to deliver seamless, secure access to
>> virtual desktops. With this all-in-one solution, easily deploy virtual
>> desktops for less than the cost of PCs and save 60% on VDI infrastructure
>> costs. Try it free! http://p.sf.net/sfu/Citrix-VDIinabox
>> _______________________________________________
>> sqlmap-users mailing list
>> sql...@li...
>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>>
>>
>
>
> --
> Miroslav Stampar
> http://about.me/stamparm
>