sqlmap-users

[sqlmap-users] Not url-encoding POST-data possible?

[Thomas S. <ts...@go...>]

Hi,

can I tell sqlmap to not url-encode POST-data?

In my case a php webservice complains about not getting a '<' as first
character:

   Warning: simplexml_load_string(): Entity: line 1: parser error : Start
tag expected, '<' not found in...
   Warning: simplexml_load_string(): %3Crequest...

The reason is, that sqlmap sends the payload url-encoded:

   %3CRequest%3E%3CID%3E111*%3C/ID>%3C%2FRequest%3E

Trying the same request in burp without urlencoding like this:

   <Request><ID>111*</ID></Request>

does not produce the error

Thanks!

Thomas

Re: [sqlmap-users] Not url-encoding POST-data possible?

[Miroslav S. <mir...@gm...>]

Hi.

There is no such option, but something will be done (e.g.
--skip-urlencode). Will keep you updated.

Kind regards
On May 23, 2012 9:56 PM, "Thomas Schreiber" <ts...@go...> wrote:

> Hi,
>
> can I tell sqlmap to not url-encode POST-data?
>
> In my case a php webservice complains about not getting a '<' as first
> character:
>
>   Warning: simplexml_load_string(): Entity: line 1: parser error : Start
> tag expected, '<' not found in...
>   Warning: simplexml_load_string(): %3Crequest...
>
> The reason is, that sqlmap sends the payload url-encoded:
>
>   %3CRequest%3E%3CID%3E111*%3C/ID>%3C%2FRequest%3E
>
> Trying the same request in burp without urlencoding like this:
>
>   <Request><ID>111*</ID></Request>
>
> does not produce the error
>
> Thanks!
>
> Thomas
>
>
>
> ------------------------------------------------------------------------------
> Live Security Virtual Conference
> Exclusive live event will cover all the ways today's security and
> threat landscape has changed and how IT managers can respond. Discussions
> will include endpoint security, mobile security and the latest in malware
> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
> _______________________________________________
> sqlmap-users mailing list
> sql...@li...
> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>

Re: [sqlmap-users] Not url-encoding POST-data possible?

[Miroslav S. <mir...@gm...>]

Hi Thomas.

With the latest r5076 you'll get a new switch '--skip-urlencode' which
tells sqlmap to skip URL encoding of POST data.

Kind regards,
Miroslav Stampar

On Thu, May 24, 2012 at 11:56 AM, Miroslav Stampar <
mir...@gm...> wrote:

> Hi.
>
> There is no such option, but something will be done (e.g.
> --skip-urlencode). Will keep you updated.
>
> Kind regards
> On May 23, 2012 9:56 PM, "Thomas Schreiber" <ts...@go...> wrote:
>
>> Hi,
>>
>> can I tell sqlmap to not url-encode POST-data?
>>
>> In my case a php webservice complains about not getting a '<' as first
>> character:
>>
>>   Warning: simplexml_load_string(): Entity: line 1: parser error : Start
>> tag expected, '<' not found in...
>>   Warning: simplexml_load_string(): %3Crequest...
>>
>> The reason is, that sqlmap sends the payload url-encoded:
>>
>>   %3CRequest%3E%3CID%3E111*%3C/ID>%3C%2FRequest%3E
>>
>> Trying the same request in burp without urlencoding like this:
>>
>>   <Request><ID>111*</ID></Request>
>>
>> does not produce the error
>>
>> Thanks!
>>
>> Thomas
>>
>>
>>
>> ------------------------------------------------------------------------------
>> Live Security Virtual Conference
>> Exclusive live event will cover all the ways today's security and
>> threat landscape has changed and how IT managers can respond. Discussions
>> will include endpoint security, mobile security and the latest in malware
>> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
>> _______________________________________________
>> sqlmap-users mailing list
>> sql...@li...
>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>>
>


-- 
Miroslav Stampar
http://about.me/stamparm

Re: [sqlmap-users] Not url-encoding POST-data possible?

[Thomas S. <ts...@go...>]

Miroslav, great! Makes me and my customer happy!

 

Thomas

 

Von: Miroslav Stampar [mailto:mir...@gm...] 
Gesendet: Freitag, 25. Mai 2012 01:12
An: Thomas Schreiber
Cc: sql...@li...
Betreff: Re: [sqlmap-users] Not url-encoding POST-data possible?

 

Hi Thomas.

 

With the latest r5076 you'll get a new switch '--skip-urlencode' which tells
sqlmap to skip URL encoding of POST data.

 

Kind regards,

Miroslav Stampar

On Thu, May 24, 2012 at 11:56 AM, Miroslav Stampar
<mir...@gm...> wrote:

Hi.

There is no such option, but something will be done (e.g. --skip-urlencode).
Will keep you updated.

Kind regards

On May 23, 2012 9:56 PM, "Thomas Schreiber" <ts...@go...> wrote:

Hi,

can I tell sqlmap to not url-encode POST-data?

In my case a php webservice complains about not getting a '<' as first
character:

  Warning: simplexml_load_string(): Entity: line 1: parser error : Start
tag expected, '<' not found in...
  Warning: simplexml_load_string(): %3Crequest...

The reason is, that sqlmap sends the payload url-encoded:

  %3CRequest%3E%3CID%3E111*%3C/ID>%3C%2FRequest%3E

Trying the same request in burp without urlencoding like this:

  <Request><ID>111*</ID></Request>

does not produce the error

Thanks!

Thomas


----------------------------------------------------------------------------
--
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and
threat landscape has changed and how IT managers can respond. Discussions
will include endpoint security, mobile security and the latest in malware
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
sqlmap-users mailing list
sql...@li...
https://lists.sourceforge.net/lists/listinfo/sqlmap-users





 

-- 
Miroslav Stampar
http://about.me/stamparm

Re: [sqlmap-users] Not url-encoding POST-data possible?

[André S. <and...@gm...>]

Bernado / Miroslav,

The SqlMap is indeed an amazing open source sotware.

Bug fixes, implementation of new features....

Thanks guys

Re: [sqlmap-users] Not url-encoding POST-data possible?

[Miroslav S. <mir...@gm...>]

;)

On Fri, May 25, 2012 at 1:34 AM, André Silva <and...@gm...> wrote:

> Bernado / Miroslav,
>
> The SqlMap is indeed an amazing open source sotware.
>
> Bug fixes, implementation of new features....
>
> Thanks guys
>



-- 
Miroslav Stampar
http://about.me/stamparm

Re: [sqlmap-users] Not url-encoding POST-data possible?

[Dennis <kor...@ya...>]

That feature comes in handy for me as well. Great work guys, as always!

Cheers,
Dennis


Am 25.05.2012 01:47, schrieb Miroslav Stampar:
> ;)
>
> On Fri, May 25, 2012 at 1:34 AM, André Silva <and...@gm...
> <mailto:and...@gm...>> wrote:
>
>     Bernado / Miroslav,
>
>     The SqlMap is indeed an amazing open source sotware.
>
>     Bug fixes, implementation of new features....
>
>     Thanks guys
>
>
>
>
> -- 
> Miroslav Stampar
> http://about.me/stamparm
>
>
> ------------------------------------------------------------------------------
> Live Security Virtual Conference
> Exclusive live event will cover all the ways today's security and 
> threat landscape has changed and how IT managers can respond. Discussions 
> will include endpoint security, mobile security and the latest in malware 
> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
>
>
> _______________________________________________
> sqlmap-users mailing list
> sql...@li...
> https://lists.sourceforge.net/lists/listinfo/sqlmap-users