Thread: [sqlmap-users] Trouble with "json" like data
Brought to you by:
inquisb
Menu
▾
▴
sqlmap-users
|
From: <Lou...@be...> - 2014-02-24 19:41:35
|
Hi, I saw a couple messages saying sqlmap should support json post data now. However, I'm having trouble with a pretty simple payload. I'm using the following request that I extracted from Burp and censored a bit : POST /SomeUrl/ HTTP/1.1 Host: www.SomeUrl.org.uk Proxy-Connection: keep-alive Content-Length: 28 Accept: application/json, text/javascript, */*; q=0.01 Origin: http://www. SomeUrl.org.uk X-Requested-With: XMLHttpRequest User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1750.117 Safari/537.36 Content-Type: application/json; charset=UTF-8 Referer: http://www. SomeUrl.org.uk/ Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8,fr-CA;q=0.6,fr;q=0.4 Cookie: SomeCookies Connection: close {'address':'peanut'} I tried using "sqlmap -r request" or "sqlmap -r request -p address" or with -p "peanut". I also tried adding $$ before and after peanut and trying with -sufix and -prefix to no avail. I also tried a full command line without using the raw request like this (and multiple variant) : python sqlmap.py -u "http://www.someurl.co.uk" --data "{'address':'$peanut$'}" --cookie="somecookies" --prefix="$" --suffix="$" Whatever I'm doing, I'm ending up with a message like : [14:27:08] [INFO] target URL is stable [14:27:08] [CRITICAL] no parameter(s) found for testing in the provided data (e.g. GET parameter 'id' in 'www.site.com/index.php?id=1') Or [14:27:47] [INFO] parsing HTTP request from 'requestFromBurp' [14:27:47] [CRITICAL] all testable parameters you provided are not present within the given request data I tried sqlmap/1.0-dev out of Kali linux and also downloaded the nightlies with GIT. Can you help me ? Thanks Louis |
|
From: Brandon P. <bpe...@gm...> - 2014-02-24 20:12:08
|
Use an asterisk. Sent from a computer > On Feb 24, 2014, at 1:29 PM, <Lou...@be...> wrote: > > Hi, > > I saw a couple messages saying sqlmap should support json post data now. However, I’m having trouble with a pretty simple payload. I’m using the following request that I extracted from Burp and censored a bit : > > POST /SomeUrl/ HTTP/1.1 > Host: www.SomeUrl.org.uk > Proxy-Connection: keep-alive > Content-Length: 28 > Accept: application/json, text/javascript, */*; q=0.01 > Origin: http://www. SomeUrl.org.uk > X-Requested-With: XMLHttpRequest > User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1750.117 Safari/537.36 > Content-Type: application/json; charset=UTF-8 > Referer: http://www. SomeUrl.org.uk/ > Accept-Encoding: gzip,deflate,sdch > Accept-Language: en-US,en;q=0.8,fr-CA;q=0.6,fr;q=0.4 > Cookie: SomeCookies > Connection: close > > {'address':'peanut'} > > I tried using “sqlmap –r request” or “sqlmap –r request –p address” or with –p “peanut”. I also tried adding $$ before and after peanut and trying with –sufix and –prefix to no avail. > > I also tried a full command line without using the raw request like this (and multiple variant) : > > python sqlmap.py -u "http://www.someurl.co.uk" --data "{'address':'$peanut$'}" --cookie="somecookies" --prefix="$" --suffix="$" > > Whatever I’m doing, I’m ending up with a message like : > > [14:27:08] [INFO] target URL is stable > [14:27:08] [CRITICAL] no parameter(s) found for testing in the provided data (e.g. GET parameter 'id' in 'www.site.com/index.php?id=1') > > Or > > [14:27:47] [INFO] parsing HTTP request from 'requestFromBurp' > [14:27:47] [CRITICAL] all testable parameters you provided are not present within the given request data > > I tried sqlmap/1.0-dev out of Kali linux and also downloaded the nightlies with GIT. > > Can you help me ? > > Thanks > > Louis > > > > ------------------------------------------------------------------------------ > Flow-based real-time traffic analytics software. Cisco certified tool. > Monitor traffic, SLAs, QoS, Medianet, WAAS etc. with NetFlow Analyzer > Customize your own dashboards, set traffic alerts and generate reports. > Network behavioral analysis & security monitoring. All-in-one tool. > http://pubads.g.doubleclick.net/gampad/clk?id=126839071&iu=/4140/ostg.clktrk > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users |
|
From: <Lou...@be...> - 2014-02-24 20:23:04
|
Thanks From: Brandon Perry [mailto:bpe...@gm...] Sent: Monday, February 24, 2014 3:12 PM To: Louis Nadeau Cc: <sql...@li...> Subject: Re: [sqlmap-users] Trouble with "json" like data Use an asterisk. Sent from a computer On Feb 24, 2014, at 1:29 PM, <Lou...@be...<mailto:Lou...@be...>> wrote: Hi, I saw a couple messages saying sqlmap should support json post data now. However, I’m having trouble with a pretty simple payload. I’m using the following request that I extracted from Burp and censored a bit : POST /SomeUrl/ HTTP/1.1 Host: www.SomeUrl.org.uk<http://org.uk> Proxy-Connection: keep-alive Content-Length: 28 Accept: application/json, text/javascript, */*; q=0.01 Origin: http://www. SomeUrl.org.uk<http://org.uk> X-Requested-With: XMLHttpRequest User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1750.117 Safari/537.36 Content-Type: application/json; charset=UTF-8 Referer: http://www. SomeUrl.org.uk/<http://org.uk/> Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8,fr-CA;q=0.6,fr;q=0.4 Cookie: SomeCookies Connection: close {'address':'peanut'} I tried using “sqlmap –r request” or “sqlmap –r request –p address” or with –p “peanut”. I also tried adding $$ before and after peanut and trying with –sufix and –prefix to no avail. I also tried a full command line without using the raw request like this (and multiple variant) : python sqlmap.py -u "http://www.someurl.co.uk" --data "{'address':'$peanut$'}" --cookie="somecookies" --prefix="$" --suffix="$" Whatever I’m doing, I’m ending up with a message like : [14:27:08] [INFO] target URL is stable [14:27:08] [CRITICAL] no parameter(s) found for testing in the provided data (e.g. GET parameter 'id' in 'www.site.com/index.php?id=1'<http://www.site.com/index.php?id=1'>) Or [14:27:47] [INFO] parsing HTTP request from 'requestFromBurp' [14:27:47] [CRITICAL] all testable parameters you provided are not present within the given request data I tried sqlmap/1.0-dev out of Kali linux and also downloaded the nightlies with GIT. Can you help me ? Thanks Louis ------------------------------------------------------------------------------ Flow-based real-time traffic analytics software. Cisco certified tool. Monitor traffic, SLAs, QoS, Medianet, WAAS etc. with NetFlow Analyzer Customize your own dashboards, set traffic alerts and generate reports. Network behavioral analysis & security monitoring. All-in-one tool. http://pubads.g.doubleclick.net/gampad/clk?id=126839071&iu=/4140/ostg.clktrk _______________________________________________ sqlmap-users mailing list sql...@li...<mailto:sql...@li...> https://lists.sourceforge.net/lists/listinfo/sqlmap-users |
|
From: <Lou...@be...> - 2014-02-24 20:31:40
|
Wait, if I put an asterix in between the quote instead of peanut and record the traffic, SQLMAP will send hundreds of request with the exact some content :
{'address': ''}
If I remove the single quote and put the asterix straight in there, then the quote are obviously not there and I’m getting parsing error from the server.
From: Brandon Perry [mailto:bpe...@gm...]
Sent: Monday, February 24, 2014 3:12 PM
To: Louis Nadeau
Cc: <sql...@li...>
Subject: Re: [sqlmap-users] Trouble with "json" like data
Use an asterisk.
Sent from a computer
On Feb 24, 2014, at 1:29 PM, <Lou...@be...<mailto:Lou...@be...>> wrote:
Hi,
I saw a couple messages saying sqlmap should support json post data now. However, I’m having trouble with a pretty simple payload. I’m using the following request that I extracted from Burp and censored a bit :
POST /SomeUrl/ HTTP/1.1
Host: www.SomeUrl.org.uk<http://org.uk>
Proxy-Connection: keep-alive
Content-Length: 28
Accept: application/json, text/javascript, */*; q=0.01
Origin: http://www. SomeUrl.org.uk<http://org.uk>
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1750.117 Safari/537.36
Content-Type: application/json; charset=UTF-8
Referer: http://www. SomeUrl.org.uk/<http://org.uk/>
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8,fr-CA;q=0.6,fr;q=0.4
Cookie: SomeCookies
Connection: close
{'address':'peanut'}
I tried using “sqlmap –r request” or “sqlmap –r request –p address” or with –p “peanut”. I also tried adding $$ before and after peanut and trying with –sufix and –prefix to no avail.
I also tried a full command line without using the raw request like this (and multiple variant) :
python sqlmap.py -u "http://www.someurl.co.uk" --data "{'address':'$peanut$'}" --cookie="somecookies" --prefix="$" --suffix="$"
Whatever I’m doing, I’m ending up with a message like :
[14:27:08] [INFO] target URL is stable
[14:27:08] [CRITICAL] no parameter(s) found for testing in the provided data (e.g. GET parameter 'id' in 'www.site.com/index.php?id=1'<http://www.site.com/index.php?id=1'>)
Or
[14:27:47] [INFO] parsing HTTP request from 'requestFromBurp'
[14:27:47] [CRITICAL] all testable parameters you provided are not present within the given request data
I tried sqlmap/1.0-dev out of Kali linux and also downloaded the nightlies with GIT.
Can you help me ?
Thanks
Louis
------------------------------------------------------------------------------
Flow-based real-time traffic analytics software. Cisco certified tool.
Monitor traffic, SLAs, QoS, Medianet, WAAS etc. with NetFlow Analyzer
Customize your own dashboards, set traffic alerts and generate reports.
Network behavioral analysis & security monitoring. All-in-one tool.
http://pubads.g.doubleclick.net/gampad/clk?id=126839071&iu=/4140/ostg.clktrk
_______________________________________________
sqlmap-users mailing list
sql...@li...<mailto:sql...@li...>
https://lists.sourceforge.net/lists/listinfo/sqlmap-users
|
|
From: Miroslav S. <mir...@gm...> - 2014-02-24 21:52:21
|
Dear Louis. >From when are JSON string values enclosed with single quotes? Please go to the: http://www.json.org/ and study the official JSON forms/structures. Kind regards, Miroslav Stampar On Mon, Feb 24, 2014 at 8:29 PM, <Lou...@be...> wrote: > Hi, > > > > I saw a couple messages saying sqlmap should support json post data now. > However, I'm having trouble with a pretty simple payload. I'm using the > following request that I extracted from Burp and censored a bit : > > > > POST /SomeUrl/ HTTP/1.1 > > Host: www.SomeUrl.org.uk > > Proxy-Connection: keep-alive > > Content-Length: 28 > > Accept: application/json, text/javascript, */*; q=0.01 > > Origin: http://www. SomeUrl.org.uk > > X-Requested-With: XMLHttpRequest > > User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, > like Gecko) Chrome/33.0.1750.117 Safari/537.36 > > Content-Type: application/json; charset=UTF-8 > > Referer: http://www. SomeUrl.org.uk/ > > Accept-Encoding: gzip,deflate,sdch > > Accept-Language: en-US,en;q=0.8,fr-CA;q=0.6,fr;q=0.4 > > Cookie: SomeCookies > > Connection: close > > > > {'address':'peanut'} > > > > I tried using "sqlmap -r request" or "sqlmap -r request -p address" or > with -p "peanut". I also tried adding $$ before and after peanut and trying > with -sufix and -prefix to no avail. > > > > I also tried a full command line without using the raw request like this > (and multiple variant) : > > > > python sqlmap.py -u "http://www.someurl.co.uk" --data > "{'address':'$peanut$'}" --cookie="somecookies" --prefix="$" --suffix="$" > > > > Whatever I'm doing, I'm ending up with a message like : > > > > [14:27:08] [INFO] target URL is stable > > [14:27:08] [CRITICAL] no parameter(s) found for testing in the provided > data (e.g. GET parameter 'id' in 'www.site.com/index.php?id=1') > > > > Or > > > > [14:27:47] [INFO] parsing HTTP request from 'requestFromBurp' > > [14:27:47] [CRITICAL] all testable parameters you provided are not present > within the given request data > > > > I tried sqlmap/1.0-dev out of Kali linux and also downloaded the nightlies > with GIT. > > > > Can you help me ? > > > > Thanks > > > > Louis > > > > > > > > > ------------------------------------------------------------------------------ > Flow-based real-time traffic analytics software. Cisco certified tool. > Monitor traffic, SLAs, QoS, Medianet, WAAS etc. with NetFlow Analyzer > Customize your own dashboards, set traffic alerts and generate reports. > Network behavioral analysis & security monitoring. All-in-one tool. > > http://pubads.g.doubleclick.net/gampad/clk?id=126839071&iu=/4140/ostg.clktrk > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > > -- Miroslav Stampar http://about.me/stamparm |
|
From: Miroslav S. <mir...@gm...> - 2014-02-25 16:20:36
|
I'll see what can be done tomorrow. Most probably I'll put a support for this. Bye On Feb 25, 2014 5:03 PM, "Jonathon Brenner (jobrenne)" <job...@ci...> wrote: > To be fair, I frequently see developers use all kinds of crazy > non-standard JSON "formats." These behaviors are usually indicative of > poorly developed code that is ripe for exploitation. > > When I need to deal with something like this, I manually reformat the > request into something that sqlmap can deal with. Then I write a simple > burp extension (or if I'm luckily, use a proxy match and replace rule) to > reformat the request into the form that the application expects and proxy > sqlmap's traffic through burp. > > -- > Jonathon Brenner > > .:|:.:|:. > Cisco > > From: Miroslav Stampar <mir...@gm...> > Date: Monday, February 24, 2014 4:52 PM > To: "Lou...@be..." <Lou...@be...> > Cc: SqlMap List <sql...@li...> > Subject: Re: [sqlmap-users] Trouble with "json" like data > > Dear Louis. > > From when are JSON string values enclosed with single quotes? > > Please go to the: http://www.json.org/ and study the official JSON > forms/structures. > > Kind regards, > Miroslav Stampar > > > On Mon, Feb 24, 2014 at 8:29 PM, <Lou...@be...> wrote: > >> Hi, >> >> >> >> I saw a couple messages saying sqlmap should support json post data now. >> However, I'm having trouble with a pretty simple payload. I'm using the >> following request that I extracted from Burp and censored a bit : >> >> >> >> POST /SomeUrl/ HTTP/1.1 >> >> Host: www.SomeUrl.org.uk >> >> Proxy-Connection: keep-alive >> >> Content-Length: 28 >> >> Accept: application/json, text/javascript, */*; q=0.01 >> >> Origin: http://www. SomeUrl.org.uk >> >> X-Requested-With: XMLHttpRequest >> >> User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 >> (KHTML, like Gecko) Chrome/33.0.1750.117 Safari/537.36 >> >> Content-Type: application/json; charset=UTF-8 >> >> Referer: http://www. SomeUrl.org.uk/ >> >> Accept-Encoding: gzip,deflate,sdch >> >> Accept-Language: en-US,en;q=0.8,fr-CA;q=0.6,fr;q=0.4 >> >> Cookie: SomeCookies >> >> Connection: close >> >> >> >> {'address':'peanut'} >> >> >> >> I tried using "sqlmap -r request" or "sqlmap -r request -p address" or >> with -p "peanut". I also tried adding $$ before and after peanut and trying >> with -sufix and -prefix to no avail. >> >> >> >> I also tried a full command line without using the raw request like this >> (and multiple variant) : >> >> >> >> python sqlmap.py -u "http://www.someurl.co.uk" --data >> "{'address':'$peanut$'}" --cookie="somecookies" --prefix="$" --suffix="$" >> >> >> >> Whatever I'm doing, I'm ending up with a message like : >> >> >> >> [14:27:08] [INFO] target URL is stable >> >> [14:27:08] [CRITICAL] no parameter(s) found for testing in the provided >> data (e.g. GET parameter 'id' in 'www.site.com/index.php?id=1') >> >> >> >> Or >> >> >> >> [14:27:47] [INFO] parsing HTTP request from 'requestFromBurp' >> >> [14:27:47] [CRITICAL] all testable parameters you provided are not >> present within the given request data >> >> >> >> I tried sqlmap/1.0-dev out of Kali linux and also downloaded the >> nightlies with GIT. >> >> >> >> Can you help me ? >> >> >> >> Thanks >> >> >> >> Louis >> >> >> >> >> >> >> >> >> ------------------------------------------------------------------------------ >> Flow-based real-time traffic analytics software. Cisco certified tool. >> Monitor traffic, SLAs, QoS, Medianet, WAAS etc. with NetFlow Analyzer >> Customize your own dashboards, set traffic alerts and generate reports. >> Network behavioral analysis & security monitoring. All-in-one tool. >> >> http://pubads.g.doubleclick.net/gampad/clk?id=126839071&iu=/4140/ostg.clktrk >> _______________________________________________ >> sqlmap-users mailing list >> sql...@li... >> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >> >> > > > -- > Miroslav Stampar > http://about.me/stamparm > |
|
From: Miroslav S. <mir...@gm...> - 2014-02-26 07:57:08
|
It should be implemented now. Please update to the latest revision. Kind regards, Miroslav Stampar On Tue, Feb 25, 2014 at 5:20 PM, Miroslav Stampar < mir...@gm...> wrote: > I'll see what can be done tomorrow. Most probably I'll put a support for > this. > > Bye > On Feb 25, 2014 5:03 PM, "Jonathon Brenner (jobrenne)" <job...@ci...> > wrote: > >> To be fair, I frequently see developers use all kinds of crazy >> non-standard JSON "formats." These behaviors are usually indicative of >> poorly developed code that is ripe for exploitation. >> >> When I need to deal with something like this, I manually reformat the >> request into something that sqlmap can deal with. Then I write a simple >> burp extension (or if I'm luckily, use a proxy match and replace rule) to >> reformat the request into the form that the application expects and proxy >> sqlmap's traffic through burp. >> >> -- >> Jonathon Brenner >> >> .:|:.:|:. >> Cisco >> >> From: Miroslav Stampar <mir...@gm...> >> Date: Monday, February 24, 2014 4:52 PM >> To: "Lou...@be..." <Lou...@be...> >> Cc: SqlMap List <sql...@li...> >> Subject: Re: [sqlmap-users] Trouble with "json" like data >> >> Dear Louis. >> >> From when are JSON string values enclosed with single quotes? >> >> Please go to the: http://www.json.org/ and study the official JSON >> forms/structures. >> >> Kind regards, >> Miroslav Stampar >> >> >> On Mon, Feb 24, 2014 at 8:29 PM, <Lou...@be...> wrote: >> >>> Hi, >>> >>> >>> >>> I saw a couple messages saying sqlmap should support json post data now. >>> However, I'm having trouble with a pretty simple payload. I'm using the >>> following request that I extracted from Burp and censored a bit : >>> >>> >>> >>> POST /SomeUrl/ HTTP/1.1 >>> >>> Host: www.SomeUrl.org.uk >>> >>> Proxy-Connection: keep-alive >>> >>> Content-Length: 28 >>> >>> Accept: application/json, text/javascript, */*; q=0.01 >>> >>> Origin: http://www. SomeUrl.org.uk >>> >>> X-Requested-With: XMLHttpRequest >>> >>> User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 >>> (KHTML, like Gecko) Chrome/33.0.1750.117 Safari/537.36 >>> >>> Content-Type: application/json; charset=UTF-8 >>> >>> Referer: http://www. SomeUrl.org.uk/ >>> >>> Accept-Encoding: gzip,deflate,sdch >>> >>> Accept-Language: en-US,en;q=0.8,fr-CA;q=0.6,fr;q=0.4 >>> >>> Cookie: SomeCookies >>> >>> Connection: close >>> >>> >>> >>> {'address':'peanut'} >>> >>> >>> >>> I tried using "sqlmap -r request" or "sqlmap -r request -p address" or >>> with -p "peanut". I also tried adding $$ before and after peanut and trying >>> with -sufix and -prefix to no avail. >>> >>> >>> >>> I also tried a full command line without using the raw request like this >>> (and multiple variant) : >>> >>> >>> >>> python sqlmap.py -u "http://www.someurl.co.uk" --data >>> "{'address':'$peanut$'}" --cookie="somecookies" --prefix="$" --suffix="$" >>> >>> >>> >>> Whatever I'm doing, I'm ending up with a message like : >>> >>> >>> >>> [14:27:08] [INFO] target URL is stable >>> >>> [14:27:08] [CRITICAL] no parameter(s) found for testing in the provided >>> data (e.g. GET parameter 'id' in 'www.site.com/index.php?id=1') >>> >>> >>> >>> Or >>> >>> >>> >>> [14:27:47] [INFO] parsing HTTP request from 'requestFromBurp' >>> >>> [14:27:47] [CRITICAL] all testable parameters you provided are not >>> present within the given request data >>> >>> >>> >>> I tried sqlmap/1.0-dev out of Kali linux and also downloaded the >>> nightlies with GIT. >>> >>> >>> >>> Can you help me ? >>> >>> >>> >>> Thanks >>> >>> >>> >>> Louis >>> >>> >>> >>> >>> >>> >>> >>> >>> ------------------------------------------------------------------------------ >>> Flow-based real-time traffic analytics software. Cisco certified tool. >>> Monitor traffic, SLAs, QoS, Medianet, WAAS etc. with NetFlow Analyzer >>> Customize your own dashboards, set traffic alerts and generate reports. >>> Network behavioral analysis & security monitoring. All-in-one tool. >>> >>> http://pubads.g.doubleclick.net/gampad/clk?id=126839071&iu=/4140/ostg.clktrk >>> _______________________________________________ >>> sqlmap-users mailing list >>> sql...@li... >>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >>> >>> >> >> >> -- >> Miroslav Stampar >> http://about.me/stamparm >> > -- Miroslav Stampar http://about.me/stamparm |
|
From: <Lou...@be...> - 2014-02-26 15:05:17
|
Its working fine now, thanks :) From: Miroslav Stampar [mailto:mir...@gm...] Sent: Wednesday, February 26, 2014 2:57 AM To: Jonathon Brenner, (jobrenne) Cc: Louis Nadeau; SqlMap List Subject: Re: [sqlmap-users] Trouble with "json" like data It should be implemented now. Please update to the latest revision. Kind regards, Miroslav Stampar On Tue, Feb 25, 2014 at 5:20 PM, Miroslav Stampar <mir...@gm...<mailto:mir...@gm...>> wrote: I'll see what can be done tomorrow. Most probably I'll put a support for this. Bye On Feb 25, 2014 5:03 PM, "Jonathon Brenner (jobrenne)" <job...@ci...<mailto:job...@ci...>> wrote: To be fair, I frequently see developers use all kinds of crazy non-standard JSON "formats." These behaviors are usually indicative of poorly developed code that is ripe for exploitation. When I need to deal with something like this, I manually reformat the request into something that sqlmap can deal with. Then I write a simple burp extension (or if I'm luckily, use a proxy match and replace rule) to reformat the request into the form that the application expects and proxy sqlmap's traffic through burp. -- Jonathon Brenner .:|:.:|:. Cisco From: Miroslav Stampar <mir...@gm...<mailto:mir...@gm...>> Date: Monday, February 24, 2014 4:52 PM To: "Lou...@be...<mailto:Lou...@be...>" <Lou...@be...<mailto:Lou...@be...>> Cc: SqlMap List <sql...@li...<mailto:sql...@li...>> Subject: Re: [sqlmap-users] Trouble with "json" like data Dear Louis. >From when are JSON string values enclosed with single quotes? Please go to the: http://www.json.org/ and study the official JSON forms/structures. Kind regards, Miroslav Stampar On Mon, Feb 24, 2014 at 8:29 PM, <Lou...@be...<mailto:Lou...@be...>> wrote: Hi, I saw a couple messages saying sqlmap should support json post data now. However, I'm having trouble with a pretty simple payload. I'm using the following request that I extracted from Burp and censored a bit : POST /SomeUrl/ HTTP/1.1 Host: www.SomeUrl.org.uk<http://org.uk> Proxy-Connection: keep-alive Content-Length: 28 Accept: application/json, text/javascript, */*; q=0.01 Origin: http://www. SomeUrl.org.uk<http://org.uk> X-Requested-With: XMLHttpRequest User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1750.117 Safari/537.36 Content-Type: application/json; charset=UTF-8 Referer: http://www. SomeUrl.org.uk/<http://org.uk/> Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8,fr-CA;q=0.6,fr;q=0.4 Cookie: SomeCookies Connection: close {'address':'peanut'} I tried using "sqlmap -r request" or "sqlmap -r request -p address" or with -p "peanut". I also tried adding $$ before and after peanut and trying with -sufix and -prefix to no avail. I also tried a full command line without using the raw request like this (and multiple variant) : python sqlmap.py -u "http://www.someurl.co.uk" --data "{'address':'$peanut$'}" --cookie="somecookies" --prefix="$" --suffix="$" Whatever I'm doing, I'm ending up with a message like : [14:27:08] [INFO] target URL is stable [14:27:08] [CRITICAL] no parameter(s) found for testing in the provided data (e.g. GET parameter 'id' in 'www.site.com/index.php?id=1<http://www.site.com/index.php?id=1>') Or [14:27:47] [INFO] parsing HTTP request from 'requestFromBurp' [14:27:47] [CRITICAL] all testable parameters you provided are not present within the given request data I tried sqlmap/1.0-dev out of Kali linux and also downloaded the nightlies with GIT. Can you help me ? Thanks Louis ------------------------------------------------------------------------------ Flow-based real-time traffic analytics software. Cisco certified tool. Monitor traffic, SLAs, QoS, Medianet, WAAS etc. with NetFlow Analyzer Customize your own dashboards, set traffic alerts and generate reports. Network behavioral analysis & security monitoring. All-in-one tool. http://pubads.g.doubleclick.net/gampad/clk?id=126839071&iu=/4140/ostg.clktrk _______________________________________________ sqlmap-users mailing list sql...@li...<mailto:sql...@li...> https://lists.sourceforge.net/lists/listinfo/sqlmap-users -- Miroslav Stampar http://about.me/stamparm -- Miroslav Stampar http://about.me/stamparm |
×
Want the latest updates on software, tech news, and AI?
Get latest updates about software, tech news, and AI from SourceForge directly in your inbox once a month.
Thanks for helping keep SourceForge clean.
X