Thread: [sqlmap-users] sql injection without URL Parameter
Brought to you by:
inquisb
Menu
▾
▴
sqlmap-users
|
From: Christoph A. <ca...@gm...> - 2010-07-15 23:08:29
|
Hi, is there a way to tell sqlmap that it should exploit an sql injection flaw within the URL (no parameters)? E.g. example.com/folder/1 example.com/folder/1+union+select... As the page requires authentication I specify also the --cookie parameter. sqlmap seams only to test cookie fields and as there is no URL parameter (eg. ..?id=1) I can't use the -p option. kind regards, christoph |
|
From: Miroslav S. <mir...@gm...> - 2010-07-16 08:24:51
|
Sorry, nay again :). It shouldn't be much of a work for that to implement, but right now all tests require a solid parameter (GET, POST, Cookie, UA). opened a feature request for this one (ticket #199). KR On Fri, Jul 16, 2010 at 1:08 AM, Christoph A. <ca...@gm...> wrote: > Hi, > > is there a way to tell sqlmap that it should exploit an sql injection > flaw within the URL (no parameters)? > > E.g. > > example.com/folder/1 > example.com/folder/1+union+select... > > > As the page requires authentication I specify also the --cookie parameter. > sqlmap seams only to test cookie fields and as there is no URL parameter > (eg. ..?id=1) I can't use the -p option. > > kind regards, > christoph > > ------------------------------------------------------------------------------ > This SF.net email is sponsored by Sprint > What will you do first with EVO, the first 4G phone? > Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > -- Miroslav Stampar E-mail / Jabber: miroslav.stampar (at) gmail.com Mobile: +385921010204 (HR 0921010204) PGP Key ID: 0xB5397B1B |
|
From: Christoph A. <ca...@gm...> - 2010-07-16 23:34:17
|
On 07/16/2010 10:24 AM, Miroslav Stampar wrote: > Sorry, > > nay again :). It shouldn't be much of a work for that to implement, > but right now all tests require a solid parameter (GET, POST, Cookie, > UA). > > opened a feature request for this one (ticket #199). great! are these tickets on a public system, so that I can track the state of that ticket? kind regards, Christoph |
|
From: Miroslav S. <mir...@gm...> - 2010-07-17 09:15:45
|
sorry, for the moment it's a closed one. kr On Sat, Jul 17, 2010 at 1:33 AM, Christoph A. <ca...@gm...> wrote: > On 07/16/2010 10:24 AM, Miroslav Stampar wrote: >> >> Sorry, >> >> nay again :). It shouldn't be much of a work for that to implement, >> but right now all tests require a solid parameter (GET, POST, Cookie, >> UA). >> >> opened a feature request for this one (ticket #199). > > great! are these tickets on a public system, so that I can track the state > of that ticket? > > kind regards, > Christoph > -- Miroslav Stampar E-mail / Jabber: miroslav.stampar (at) gmail.com Mobile: +385921010204 (HR 0921010204) PGP Key ID: 0xB5397B1B |
|
From: Christoph A. <ca...@gm...> - 2010-09-15 20:16:03
Attachments:
signature.asc
|
On 07/16/2010 10:24 AM, Miroslav Stampar wrote: > Sorry, > > nay again :). It shouldn't be much of a work for that to implement, > but right now all tests require a solid parameter (GET, POST, Cookie, > UA). > > opened a feature request for this one (ticket #199). Given the fact that there are frequent "requests" for this feature I wanted to ask in which state this ticket is. thanks, Christoph |
|
From: Miroslav S. <mir...@gm...> - 2010-09-15 23:57:57
|
ok, will work soon on it. matter of week or two after finishing some other stuff started. kind regards On Wed, Sep 15, 2010 at 10:15 PM, Christoph A. <ca...@gm...> wrote: > On 07/16/2010 10:24 AM, Miroslav Stampar wrote: >> Sorry, >> >> nay again :). It shouldn't be much of a work for that to implement, >> but right now all tests require a solid parameter (GET, POST, Cookie, >> UA). >> >> opened a feature request for this one (ticket #199). > > Given the fact that there are frequent "requests" for this feature I > wanted to ask in which state this ticket is. > > thanks, > Christoph > > -- Miroslav Stampar E-mail / Jabber: miroslav.stampar (at) gmail.com Mobile: +385921010204 (HR 0921010204) PGP Key ID: 0xB5397B1B |
|
From: Miroslav S. <mir...@gm...> - 2010-09-23 13:18:44
|
hi. could you please send me some link for testing this one. we've done some basic stuff and now haven't got any target to test it on. kr On Wed, Sep 15, 2010 at 10:15 PM, Christoph A. <ca...@gm...> wrote: > On 07/16/2010 10:24 AM, Miroslav Stampar wrote: >> Sorry, >> >> nay again :). It shouldn't be much of a work for that to implement, >> but right now all tests require a solid parameter (GET, POST, Cookie, >> UA). >> >> opened a feature request for this one (ticket #199). > > Given the fact that there are frequent "requests" for this feature I > wanted to ask in which state this ticket is. > > thanks, > Christoph > > -- Miroslav Stampar E-mail / Jabber: miroslav.stampar (at) gmail.com Mobile: +385921010204 (HR 0921010204) PGP Key ID: 0xB5397B1B |
|
From: Miroslav S. <mir...@gm...> - 2010-09-24 09:33:27
|
Hi. With the latest SVN commit you can exploit path injections by issuing a command to sqlmap as: ./sqlmap.py -u "http://www.site.com/somewhere/1*/" Notice that * mark inside of path. That's new in sqlmap. So, please update to latest version from our SVN repository and report if you notice any problems. Kind regards. On Fri, Jul 16, 2010 at 1:08 AM, Christoph A. <ca...@gm...> wrote: > Hi, > > is there a way to tell sqlmap that it should exploit an sql injection > flaw within the URL (no parameters)? > > E.g. > > example.com/folder/1 > example.com/folder/1+union+select... > > > As the page requires authentication I specify also the --cookie parameter. > sqlmap seams only to test cookie fields and as there is no URL parameter > (eg. ..?id=1) I can't use the -p option. > > kind regards, > christoph > > ------------------------------------------------------------------------------ > This SF.net email is sponsored by Sprint > What will you do first with EVO, the first 4G phone? > Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > -- Miroslav Stampar E-mail / Jabber: miroslav.stampar (at) gmail.com Mobile: +385921010204 (HR 0921010204) PGP Key ID: 0xB5397B1B |
|
From: Carlos G. V. <car...@gm...> - 2010-09-27 16:57:11
|
Testing. So far, no problems. This option will open a wide range of possibilities, cos i'm finding a lot of web applications that uses friendly urls; this is the product of a "human friendly" logic business layer. Thanks again Miroslav. If i can help with something, just ask. -- --------8<-------- Carlos Gabriel Vergara http://www.ThorSecurity.com.ar PGP: http://www.ThorSecurity.com.ar/gabrielvergara.pgp -------->8-------- 2010/9/24 Miroslav Stampar <mir...@gm...>: > Hi. > > With the latest SVN commit you can exploit path injections by issuing > a command to sqlmap as: > > ./sqlmap.py -u "http://www.site.com/somewhere/1*/" > > Notice that * mark inside of path. That's new in sqlmap. So, please > update to latest version from our SVN repository and report if you > notice any problems. > > Kind regards. > > On Fri, Jul 16, 2010 at 1:08 AM, Christoph A. <ca...@gm...> wrote: >> Hi, >> >> is there a way to tell sqlmap that it should exploit an sql injection >> flaw within the URL (no parameters)? >> >> E.g. >> >> example.com/folder/1 >> example.com/folder/1+union+select... >> >> >> As the page requires authentication I specify also the --cookie parameter. >> sqlmap seams only to test cookie fields and as there is no URL parameter >> (eg. ..?id=1) I can't use the -p option. >> >> kind regards, >> christoph >> >> ------------------------------------------------------------------------------ >> This SF.net email is sponsored by Sprint >> What will you do first with EVO, the first 4G phone? >> Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first >> _______________________________________________ >> sqlmap-users mailing list >> sql...@li... >> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >> > > > > -- > Miroslav Stampar > > E-mail / Jabber: miroslav.stampar (at) gmail.com > Mobile: +385921010204 (HR 0921010204) > PGP Key ID: 0xB5397B1B > > ------------------------------------------------------------------------------ > Nokia and AT&T present the 2010 Calling All Innovators-North America contest > Create new apps & games for the Nokia N8 for consumers in U.S. and Canada > $10 million total in prizes - $4M cash, 500 devices, nearly $6M in marketing > Develop with Nokia Qt SDK, Web Runtime, or Java and Publish to Ovi Store > http://p.sf.net/sfu/nokia-dev2dev > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > |
|
From: Philippe A. R. S. <sc...@co...> - 2010-10-11 14:19:55
Attachments:
smime.p7s
|
Hi, I just gave the new "URI Marker" a try with the following result: ./sqlmap.py -u "http://www.site.com/path/Id/978-3-7857-6020-8*" sqlmap version: 0.9-dev Python version: 2.5.2 Operating system: posix Traceback (most recent call last): File "./sqlmap.py", line 96, in main start() File "/vol/tools/sqlmap-dev/lib/controller/controller.py", line 236, in start heuristicCheckSqlInjection(place, parameter, value) File "/vol/tools/sqlmap-dev/lib/controller/checks.py", line 111, in heuristicCheckSqlInjection Request.queryPage(payload, place) File "/vol/tools/sqlmap-dev/lib/request/connect.py", line 347, in queryPage page, headers = Connect.getPage(url=uri, get=get, post=post, cookie=cookie, ua=ua, silent=silent, method=method, auxHeaders=auxHeaders, response=response, raise404=raise404) File "/vol/tools/sqlmap-dev/lib/request/connect.py", line 177, in getPage conn = urllib2.urlopen(req) File "/usr/lib/python2.5/urllib2.py", line 124, in urlopen return _opener.open(url, data) File "/usr/lib/python2.5/urllib2.py", line 373, in open protocol = req.get_type() File "/usr/lib/python2.5/urllib2.py", line 244, in get_type raise ValueError, "unknown url type: %s" % self.__original ValueError: unknown url type: '"'"''"))" The Code ran as far as: [15:48:50] [INFO] testing if URI parameter '#1' is dynamic [15:48:57] [INFO] confirming that URI parameter '#1' is dynamic [15:49:13] [INFO] URI parameter '#1' is dynamic [15:49:13] [CRITICAL] unhandled exception in sqlmap/0.9-dev If I find some time I will also try to take look into it. Until then any feedback is welcome ;-) Cheers, Philippe |
|
From: Miroslav S. <mir...@gm...> - 2010-10-11 14:32:18
|
fixed ;) kind regards On Mon, Oct 11, 2010 at 3:53 PM, Philippe A. R. Schaeffer <sc...@co...> wrote: > Hi, > > I just gave the new "URI Marker" a try with the following result: > > ./sqlmap.py -u "http://www.site.com/path/Id/978-3-7857-6020-8*" > > sqlmap version: 0.9-dev > Python version: 2.5.2 > Operating system: posix > Traceback (most recent call last): > File "./sqlmap.py", line 96, in main > start() > File "/vol/tools/sqlmap-dev/lib/controller/controller.py", line 236, > in start > heuristicCheckSqlInjection(place, parameter, value) > File "/vol/tools/sqlmap-dev/lib/controller/checks.py", line 111, in > heuristicCheckSqlInjection > Request.queryPage(payload, place) > File "/vol/tools/sqlmap-dev/lib/request/connect.py", line 347, in > queryPage > page, headers = Connect.getPage(url=uri, get=get, post=post, > cookie=cookie, ua=ua, silent=silent, method=method, > auxHeaders=auxHeaders, response=response, raise404=raise404) > File "/vol/tools/sqlmap-dev/lib/request/connect.py", line 177, in > getPage > conn = urllib2.urlopen(req) > File "/usr/lib/python2.5/urllib2.py", line 124, in urlopen > return _opener.open(url, data) > File "/usr/lib/python2.5/urllib2.py", line 373, in open > protocol = req.get_type() > File "/usr/lib/python2.5/urllib2.py", line 244, in get_type > raise ValueError, "unknown url type: %s" % self.__original > ValueError: unknown url type: '"'"''"))" > > > The Code ran as far as: > [15:48:50] [INFO] testing if URI parameter '#1' is dynamic > [15:48:57] [INFO] confirming that URI parameter '#1' is dynamic > [15:49:13] [INFO] URI parameter '#1' is dynamic > [15:49:13] [CRITICAL] unhandled exception in sqlmap/0.9-dev > > If I find some time I will also try to take look into it. > Until then any feedback is welcome ;-) > > Cheers, > > Philippe > > > > ------------------------------------------------------------------------------ > Beautiful is writing same markup. Internet Explorer 9 supports > standards for HTML5, CSS3, SVG 1.1, ECMAScript5, and DOM L2 & L3. > Spend less time writing and rewriting code and more time creating great > experiences on the web. Be a part of the beta today. > http://p.sf.net/sfu/beautyoftheweb > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > > -- Miroslav Stampar E-mail / Jabber: miroslav.stampar (at) gmail.com Mobile: +385921010204 (HR 0921010204) PGP Key ID: 0xB5397B1B Location: Zagreb, Croatia |
|
From: Philippe A. R. S. <sc...@co...> - 2010-10-11 15:39:54
Attachments:
smime.p7s
|
Am 11.10.2010 16:32, schrieb Miroslav Stampar: > fixed ;) > That was fast! Works like a charm, thanx a lot! |
|
From: Philippe A. R. S. <sc...@co...> - 2010-10-11 19:05:37
Attachments:
smime.p7s
|
Hi, > fixed ;) > There still seems to be some problem with "URI marks". Some chars are not mapped correctly: back-end DBMS: MySQL 5 but: banner: '5 0(67' Cheers, Philippe |
×
Want the latest updates on software, tech news, and AI?
Get latest updates about software, tech news, and AI from SourceForge directly in your inbox once a month.
Thanks for helping keep SourceForge clean.
X