sqlmap-users

Re: [sqlmap-users] [PATCH] Show the raw payload in the exploit method info

[Miroslav S. <mir...@gm...>]

Hi Till.

Basically, IMO average user doesn't care about anything but the data
retrieval. But, nevertheless, find this "patch" included with the latest
commit (r4735). You'll be able to see the vector if you use greater verbose
mode than the default 1 (e.g. -v 2).

Kind regards,
Miroslav Stampar

On Thu, Feb 9, 2012 at 10:59 PM, Till Maas <ope...@ti...> wrote:

> Hi,
>
> sqlmap currently only shows by default the payload that was used to
> identify
> a certain injection method. There usually information like random numbers
> are included. To better understand what sqlmap is doing I want to propose
> to
> include the raw payload also known as vector in the info. Please see the
> attached patch for this.
>
> Kind regards
> Till
>
> ------------------------------------------------------------------------------
> Virtualization & Cloud Management Using Capacity Planning
> Cloud computing makes use of virtualization - but cloud computing
> also focuses on allowing computing to be delivered as a service.
> http://www.accelacomm.com/jaw/sfnl/114/51521223/
> _______________________________________________
> sqlmap-users mailing list
> sql...@li...
> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>
>


-- 
Miroslav Stampar
http://about.me/stamparm

Re: [sqlmap-users] [PATCH] Show the raw payload in the exploit method info

[Till M. <ope...@ti...>]

Hi Miroslav,

On Fri, Feb 10, 2012 at 03:59:39PM +0100, Miroslav Stampar wrote:

> Basically, IMO average user doesn't care about anything but the data
> retrieval. But, nevertheless, find this "patch" included with the latest
> commit (r4735). You'll be able to see the vector if you use greater verbose
> mode than the default 1 (e.g. -v 2).

thank you for including the patch. But I would like to propose to change
payload and vector in the output. To me it looks more useful to display
the vector instead of the payload in a normal use case. The Payload
usually does not make it clear how a certain injection works and what it
does without the information what the vector is. Therefore I do not see
much value for the average user to see the payload without the vector.
But the vector is useful without knowing the payload imho, because the
actual values used for the payload are imho mainly useful for debugging.

So my proposal is to show the vector instead of the payload by default
and only the payload if the verbosity is greater than 1. Or do you know
use cases for average users to know the payload?

Regards
Till

Re: [sqlmap-users] [PATCH] Show the raw payload in the exploit method info

[Miroslav S. <mir...@gm...>]

Hi.

Payload is a must because it's usable from practical point of view. It can
be copy pasted into the browser and used right away. Vector is just a form
how to make a payload. Sorry, but the final decision is like the way it is.

Kind regards,
Miroslav Stampar
On Feb 10, 2012 9:15 PM, "Till Maas" <ope...@ti...> wrote:

> Hi Miroslav,
>
> On Fri, Feb 10, 2012 at 03:59:39PM +0100, Miroslav Stampar wrote:
>
> > Basically, IMO average user doesn't care about anything but the data
> > retrieval. But, nevertheless, find this "patch" included with the latest
> > commit (r4735). You'll be able to see the vector if you use greater
> verbose
> > mode than the default 1 (e.g. -v 2).
>
> thank you for including the patch. But I would like to propose to change
> payload and vector in the output. To me it looks more useful to display
> the vector instead of the payload in a normal use case. The Payload
> usually does not make it clear how a certain injection works and what it
> does without the information what the vector is. Therefore I do not see
> much value for the average user to see the payload without the vector.
> But the vector is useful without knowing the payload imho, because the
> actual values used for the payload are imho mainly useful for debugging.
>
> So my proposal is to show the vector instead of the payload by default
> and only the payload if the verbosity is greater than 1. Or do you know
> use cases for average users to know the payload?
>
> Regards
> Till
>