sqlmap-users

[sqlmap-users] testing admin area after authorization

[Den <wor...@gm...>]

Hello everybody!

Please give me a clue.
I've a web site and I should be authorized to enter to a admin area 
(http://example.com/Login.aspx)
I have user/password for this. How can I pass this credentials to sqlmap 
and test the admin area such as 
http://example.com/admin/UserEdit.aspx?id=117  ?

Thank you in advance.

Re: [sqlmap-users] testing admin area after authorization

[Andres R. <and...@gm...>]

If you just want to exploit that section, capture a cookie with your
favorite proxy tool and set it in sqlmap

On Tue, Aug 13, 2013 at 8:43 AM, Den <wor...@gm...> wrote:
> Hello everybody!
>
> Please give me a clue.
> I've a web site and I should be authorized to enter to a admin area
> (http://example.com/Login.aspx)
> I have user/password for this. How can I pass this credentials to sqlmap
> and test the admin area such as
> http://example.com/admin/UserEdit.aspx?id=117  ?
>
> Thank you in advance.
>
> ------------------------------------------------------------------------------
> Get 100% visibility into Java/.NET code with AppDynamics Lite!
> It's a free troubleshooting tool designed for production.
> Get down to code-level detail for bottlenecks, with <2% overhead.
> Download for free and get started troubleshooting in minutes.
> http://pubads.g.doubleclick.net/gampad/clk?id=48897031&iu=/4140/ostg.clktrk
> _______________________________________________
> sqlmap-users mailing list
> sql...@li...
> https://lists.sourceforge.net/lists/listinfo/sqlmap-users



-- 
Andrés Riancho
Project Leader at w3af - http://w3af.org/
Web Application Attack and Audit Framework
Twitter: @w3af
GPG: 0x93C344F3

Re: [sqlmap-users] testing admin area after authorization

[Den <wor...@gm...>]

Thank you!

I setted up "--cookie" parameter and got a acces.
> If you just want to exploit that section, capture a cookie with your
> favorite proxy tool and set it in sqlmap
>
> On Tue, Aug 13, 2013 at 8:43 AM, Den <wor...@gm...> wrote:
>> Hello everybody!
>>
>> Please give me a clue.
>> I've a web site and I should be authorized to enter to a admin area
>> (http://example.com/Login.aspx)
>> I have user/password for this. How can I pass this credentials to sqlmap
>> and test the admin area such as
>> http://example.com/admin/UserEdit.aspx?id=117  ?
>>
>> Thank you in advance.
>>
>> ------------------------------------------------------------------------------
>> Get 100% visibility into Java/.NET code with AppDynamics Lite!
>> It's a free troubleshooting tool designed for production.
>> Get down to code-level detail for bottlenecks, with <2% overhead.
>> Download for free and get started troubleshooting in minutes.
>> http://pubads.g.doubleclick.net/gampad/clk?id=48897031&iu=/4140/ostg.clktrk
>> _______________________________________________
>> sqlmap-users mailing list
>> sql...@li...
>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>
>

Re: [sqlmap-users] testing admin area after authorization

[Sebastian N. <seb...@sy...>]

Hi,

Am 13.08.2013 15:15, schrieb Den:
> Thank you!
> 
> I setted up "--cookie" parameter and got a acces.

If you are running a webproxy (e.g. webscarab or Burp Suite) between
your browser and the server or if you have some development add-ons
installed, you could also make a copy of a complete HTTP-REQUEST send to
the server and load it using "-l file-containing-the-request". It helps
when doing complex queries (e.g. with referer- and agent-checks,
multiple cookies, long POST-bodies or file-attachements).
It can also help with avoiding encoding-problems and/or quoting-issues
(e.g. $ or ! in an url with a linux shell)

All the best,

Sebastian