I think i have a workaround for this...
Using Burpsuit, you can search&replace strings in the request. So i
rewrite the url in a format that sqlmap understands, like this:
http://127.0.0.1/lookin-for-dog/?fakeparam=1455&fakeendbackslash=
(the original url was http://127.0.0.1/lookin-for-dog/1455/)
then added this rules to the proxy options (Burpsuit):
1.- replace ?fakeparam= with an empty string
2.- replace &fakeendbackslash= with /
then used sqlmap through burpsuite
$ sqlmap -u "http://127.0.0.1/lookin-for-dog/?fakeparam=1455&fakeendbackslash="
-p fakeparam --string SOMESTRING --proxy "http://127.0.0.1:8080" -b
and voila! It started to work... but with some issues... At some point
i get this output:
[20:56:40] [INFO] testing for parenthesis on injectable parameter
[20:56:40] [INFO] testing MySQL
[20:56:41] [INFO] confirming MySQL
[20:56:41] [WARNING] the back-end DMBS is not MySQL
[20:56:41] [INFO] testing Oracle
[20:56:42] [WARNING] the back-end DMBS is not Oracle
[20:56:42] [INFO] testing PostgreSQL
[20:56:42] [WARNING] the back-end DMBS is not PostgreSQL
[20:56:42] [INFO] testing Microsoft SQL Server
[20:56:43] [WARNING] the back-end DMBS is not Microsoft SQL Server
[20:56:43] [ERROR] sqlmap was not able to fingerprint the back-end
database management system, but from the HTML error page it was
possible to determinate that the back-end DBMS is MySQL. Do not
specify the back-end DBMS manually, sqlmap will fingerprint the DBMS
for you
[*] shutting down at: 20:56:43
And it dies there... no more sqlmap for me. I try to force with --dbms
"MySQL", but nothings appears to work.
Any advice?
Thanks!!!!
2010/9/15 Christoph A. <ca...@gm...>:
> On 09/15/2010 05:30 PM, Carlos Gabriel Vergara wrote:
>> Hi!
>> (Please, excuse my english)
>>
>> I've got a question about GET parameters; i looked into the mail
>> achive and didn't find anything about telling sqlmap wich "parameter"
>> to use when the site uses friendly urls.
>>
>> In my test enviroment i have this url:
>>
>> http://127.0.0.1/lookin-for-dog/1455/
>>
>> The injectable part is "1455", wich looks like a path name. In fact,
>> the parameter is "looking-for-dog", and the value is "1455". Testing
>> with:
>>
>> http://127.0.0.1/lookin-for-dog/1455%20or%201%3d1/
>> (meaning http://127.0.0.1/lookin-for-dog/1455 or 1=1/)
>>
>> ...seems to work. When injecting something like "1455%27", a MySQL
>> error appears. So i think the url it's injectable. The problem is that
>> i can't pass this kind of parameter to sqlmap, or better say, i don't
>> know how to pass it.
>>
>> Is there a workaround for this?
>
>
>
> You might want to have a look at this thread:
> http://sourceforge.net/mailarchive/message.php?msg_name=4C3F94D3.5030408%40gmail.com
>
>
>
--
--------8<--------
Carlos Gabriel Vergara
http://www.ThorSecurity.com.ar
PGP: http://www.ThorSecurity.com.ar/gabrielvergara.pgp
-------->8--------
|
