Thread: [sqlmap-users] SQLi in parameter's name
Brought to you by:
inquisb
Menu
▾
▴
sqlmap-users
|
From: a a <rez...@se...> - 2013-03-27 10:02:28
|
Hello, During one assessment I have found the web application that is vulnerable to the SQL injection not in parameter values but in parameter names itself. This is something sqlmap is unable to find. Is it possible to add such functionality (e.g. by optional parameter) to sqlmap? Regards Karel Marhoul |
|
From: Miroslav S. <mir...@gm...> - 2013-03-28 14:41:25
|
Hi. Just use custom injection mark character. For example: python sqlmap.py -u "http://www.target.com/vuln.php?id*=1" will try to inject into the parameter name id. Kind regards, Miroslav Stampar On Wed, Mar 27, 2013 at 11:02 AM, a a <rez...@se...> wrote: > Hello, > > During one assessment I have found the web application that is vulnerable > to > the SQL injection not in parameter values but in parameter names itself. > > This is something sqlmap is unable to find. Is it possible to add such > functionality (e.g. by optional parameter) to sqlmap? > > Regards > > Karel Marhoul > > > ------------------------------------------------------------------------------ > Own the Future-Intel® Level Up Game Demo Contest 2013 > Rise to greatness in Intel's independent game demo contest. > Compete for recognition, cash, and the chance to get your game > on Steam. $5K grand prize plus 10 genre and skill prizes. > Submit your demo by 6/6/13. http://p.sf.net/sfu/intel_levelupd2d > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > -- Miroslav Stampar http://about.me/stamparm |
|
From: Karel M. <rez...@se...> - 2013-03-28 22:41:48
|
Hello, yes '*' works, but I have to put it behind parameter's name manually. I wish there was an option to tell sqlmap to automatically try SQLi not only inside parameter values but also inside parameter names. Is is possible to add such functionality? Kind Regards Karel Marhoul On 28.3.2013 15:41, Miroslav Stampar wrote: > Hi. > > Just use custom injection mark character. > > For example: > > python sqlmap.py -u "http://www.target.com/vuln.php?id*=1" > > will try to inject into the parameter name id. > > Kind regards, > Miroslav Stampar > > On Wed, Mar 27, 2013 at 11:02 AM, a a <rez...@se... > <mailto:rez...@se...>> wrote: > > Hello, > > During one assessment I have found the web application that is > vulnerable to > the SQL injection not in parameter values but in parameter names itself. > > This is something sqlmap is unable to find. Is it possible to add such > functionality (e.g. by optional parameter) to sqlmap? > > Regards > > Karel Marhoul > > ------------------------------------------------------------------------------ > Own the Future-Intel® Level Up Game Demo Contest 2013 > Rise to greatness in Intel's independent game demo contest. > Compete for recognition, cash, and the chance to get your game > on Steam. $5K grand prize plus 10 genre and skill prizes. > Submit your demo by 6/6/13. http://p.sf.net/sfu/intel_levelupd2d > _______________________________________________ > sqlmap-users mailing list > sql...@li... > <mailto:sql...@li...> > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > > > > > -- > Miroslav Stampar > http://about.me/stamparm |
|
From: Miroslav S. <mir...@gm...> - 2013-03-28 22:46:24
|
this will inject before name: python sqlmap.py -u "http://www.target.com/vuln.php?*id=1" this will inject after name: python sqlmap.py -u "http://www.target.com/vuln.php?id*=1" this will inject into name: python sqlmap.py -u "http://www.target.com/vuln.php?i*d=1" this will inject before value: python sqlmap.py -u "http://www.target.com/vuln.php?id=*1" this will inject after value: python sqlmap.py -u "http://www.target.com/vuln.php?id=1*" Which combination do you need? We are not going to make a new switch for this kind of things because you can use * to mark your "special need". Kind regards, Miroslav Stampar On Thu, Mar 28, 2013 at 7:06 PM, Karel Marhoul <rez...@se...> wrote: > Hello, > > yes '*' works, but I have to put it behind parameter's name manually. I > wish there was an option to tell sqlmap to automatically try SQLi not only > inside parameter values but also inside parameter names. Is is possible to > add such functionality? > > Kind Regards > > Karel Marhoul > > On 28.3.2013 15:41, Miroslav Stampar wrote: > >> Hi. >> >> Just use custom injection mark character. >> >> For example: >> >> python sqlmap.py -u "http://www.target.com/vuln.**php?id*=1<http://www.target.com/vuln.php?id*=1> >> " >> >> will try to inject into the parameter name id. >> >> Kind regards, >> Miroslav Stampar >> >> On Wed, Mar 27, 2013 at 11:02 AM, a a <rez...@se... >> <mailto:rez...@se...>> wrote: >> >> Hello, >> >> During one assessment I have found the web application that is >> vulnerable to >> the SQL injection not in parameter values but in parameter names >> itself. >> >> This is something sqlmap is unable to find. Is it possible to add such >> functionality (e.g. by optional parameter) to sqlmap? >> >> Regards >> >> Karel Marhoul >> >> ------------------------------**------------------------------** >> ------------------ >> Own the Future-Intel® Level Up Game Demo Contest 2013 >> Rise to greatness in Intel's independent game demo contest. >> Compete for recognition, cash, and the chance to get your game >> on Steam. $5K grand prize plus 10 genre and skill prizes. >> Submit your demo by 6/6/13. http://p.sf.net/sfu/intel_**levelupd2d<http://p.sf.net/sfu/intel_levelupd2d> >> ______________________________**_________________ >> sqlmap-users mailing list >> sqlmap-users@lists.**sourceforge.net<sql...@li...> >> <mailto:sqlmap-users@lists.**sourceforge.net<sql...@li...> >> > >> https://lists.sourceforge.net/**lists/listinfo/sqlmap-users<https://lists.sourceforge.net/lists/listinfo/sqlmap-users> >> >> >> >> >> -- >> Miroslav Stampar >> http://about.me/stamparm >> > > -- Miroslav Stampar http://about.me/stamparm |
|
From: mitchell <mit...@tu...> - 2013-03-30 23:19:23
|
So you have an option to inject wherever you want, but you want another option to inject "inside parameter names"? Maybe, I am missing something here... ~~ # m. On Thu, Mar 28, 2013 at 8:06 PM, Karel Marhoul <rez...@se...> wrote: > Hello, > > yes '*' works, but I have to put it behind parameter's name manually. I > wish there was an option to tell sqlmap to automatically try SQLi not > only inside parameter values but also inside parameter names. Is is > possible to add such functionality? > > Kind Regards > > Karel Marhoul > > On 28.3.2013 15:41, Miroslav Stampar wrote: > > Hi. > > > > Just use custom injection mark character. > > > > For example: > > > > python sqlmap.py -u "http://www.target.com/vuln.php?id*=1" > > > > will try to inject into the parameter name id. > > > > Kind regards, > > Miroslav Stampar > > > > On Wed, Mar 27, 2013 at 11:02 AM, a a <rez...@se... > > <mailto:rez...@se...>> wrote: > > > > Hello, > > > > During one assessment I have found the web application that is > > vulnerable to > > the SQL injection not in parameter values but in parameter names > itself. > > > > This is something sqlmap is unable to find. Is it possible to add > such > > functionality (e.g. by optional parameter) to sqlmap? > > > > Regards > > > > Karel Marhoul > > > > > ------------------------------------------------------------------------------ > > Own the Future-Intel® Level Up Game Demo Contest 2013 > > Rise to greatness in Intel's independent game demo contest. > > Compete for recognition, cash, and the chance to get your game > > on Steam. $5K grand prize plus 10 genre and skill prizes. > > Submit your demo by 6/6/13. http://p.sf.net/sfu/intel_levelupd2d > > _______________________________________________ > > sqlmap-users mailing list > > sql...@li... > > <mailto:sql...@li...> > > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > > > > > > > > > > -- > > Miroslav Stampar > > http://about.me/stamparm > > > > ------------------------------------------------------------------------------ > Own the Future-Intel(R) Level Up Game Demo Contest 2013 > Rise to greatness in Intel's independent game demo contest. Compete > for recognition, cash, and the chance to get your game on Steam. > $5K grand prize plus 10 genre and skill prizes. Submit your demo > by 6/6/13. http://altfarm.mediaplex.com/ad/ck/12124-176961-30367-2 > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > |
|
From: Karel M. <rez...@se...> - 2013-03-31 09:35:23
|
Ok, let's have for example following URL: http://example.com/?name1=value1&name2=value2&name3=value3 If I do something like this: sqlmap -u http://example.com/?name1=value1&name2=value2&name3=value3 sqlmap wil try inject payloads into parameter values, server headers, cookies and so on, but NOT into parameter names. Proposed parameter should work similar to this: sqlmap --inject-names -u http://example.com/?name1=value1&name2=value2&name3=value3 And sqlmap will AUTOMATICALLY try to inject payload also into parameter names. Why I want this parameter instead of manually inserting '*' symbol? Because I often use sqlmap in conjunction with burp, where I take burp's log and give it to sqlmap for testing (via -l parameter). In this scenario, it would be painful to insert '*' after each parameter name. I hope I expressed it clear:) Best regards and happy easter Karel Marhoul On 31.3.2013 0:11, mitchell wrote: > So you have an option to inject wherever you want, but you want another > option to inject "inside parameter names"? Maybe, I am missing something > here... > > ~~ > # m. > > > On Thu, Mar 28, 2013 at 8:06 PM, Karel Marhoul <rez...@se... > <mailto:rez...@se...>> wrote: > > Hello, > > yes '*' works, but I have to put it behind parameter's name manually. I > wish there was an option to tell sqlmap to automatically try SQLi not > only inside parameter values but also inside parameter names. Is is > possible to add such functionality? > > Kind Regards > > Karel Marhoul > > On 28.3.2013 15:41, Miroslav Stampar wrote: > > Hi. > > > > Just use custom injection mark character. > > > > For example: > > > > python sqlmap.py -u "http://www.target.com/vuln.php?id*=1" > > > > will try to inject into the parameter name id. > > > > Kind regards, > > Miroslav Stampar > > > > On Wed, Mar 27, 2013 at 11:02 AM, a a <rez...@se... > <mailto:rez...@se...> > > <mailto:rez...@se... <mailto:rez...@se...>>> wrote: > > > > Hello, > > > > During one assessment I have found the web application that is > > vulnerable to > > the SQL injection not in parameter values but in parameter > names itself. > > > > This is something sqlmap is unable to find. Is it possible to > add such > > functionality (e.g. by optional parameter) to sqlmap? > > > > Regards > > > > Karel Marhoul > > > > > ------------------------------------------------------------------------------ > > Own the Future-Intel® Level Up Game Demo Contest 2013 > > Rise to greatness in Intel's independent game demo contest. > > Compete for recognition, cash, and the chance to get your game > > on Steam. $5K grand prize plus 10 genre and skill prizes. > > Submit your demo by 6/6/13. http://p.sf.net/sfu/intel_levelupd2d > > _______________________________________________ > > sqlmap-users mailing list > > sql...@li... > <mailto:sql...@li...> > > <mailto:sql...@li... > <mailto:sql...@li...>> > > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > > > > > > > > > > -- > > Miroslav Stampar > > http://about.me/stamparm > > > ------------------------------------------------------------------------------ > Own the Future-Intel(R) Level Up Game Demo Contest 2013 > Rise to greatness in Intel's independent game demo contest. Compete > for recognition, cash, and the chance to get your game on Steam. > $5K grand prize plus 10 genre and skill prizes. Submit your demo > by 6/6/13. http://altfarm.mediaplex.com/ad/ck/12124-176961-30367-2 > _______________________________________________ > sqlmap-users mailing list > sql...@li... > <mailto:sql...@li...> > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > > |
|
From: mitchell <mit...@tu...> - 2013-03-31 12:19:15
|
Actually, it's not that painful :-) $ cat test.burp | sed '/^GET/s/=/\*=/g ' ====================================================== 3:09:06 PM http://example.com:80 [192.0.43.10] ====================================================== GET /?name1*=value1&name2*=value2&name3*=value3 HTTP/1.1 Host: example.com User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:19.0) Gecko/20100101 Firefox/19.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: bg,en-us;q=0.7,en;q=0.3 Accept-Encoding: gzip, deflate Connection: keep-alive ====================================================== Anyway, it's up to the devs if they want to implement such an option. Happy Easter to you too! ~~ # m. On Sun, Mar 31, 2013 at 12:35 PM, Karel Marhoul <rez...@se...>wrote: > Ok, let's have for example following URL: > > http://example.com/?name1=**value1&name2=value2&name3=**value3<http://example.com/?name1=value1&name2=value2&name3=value3> > > If I do something like this: > > sqlmap -u http://example.com/?name1=**value1&name2=value2&name3=**value3<http://example.com/?name1=value1&name2=value2&name3=value3> > > sqlmap wil try inject payloads into parameter values, server headers, > cookies and so on, but NOT into parameter names. > > Proposed parameter should work similar to this: > > sqlmap --inject-names -u http://example.com/?name1=** > value1&name2=value2&name3=**value3<http://example.com/?name1=value1&name2=value2&name3=value3> > > And sqlmap will AUTOMATICALLY try to inject payload also into parameter > names. > > Why I want this parameter instead of manually inserting '*' symbol? > Because I often use sqlmap in conjunction with burp, where I take burp's > log and give it to sqlmap for testing (via -l parameter). In this scenario, > it would be painful to insert '*' after each parameter name. > > I hope I expressed it clear:) > > Best regards and happy easter > > Karel Marhoul > > > On 31.3.2013 0:11, mitchell wrote: > >> So you have an option to inject wherever you want, but you want another >> option to inject "inside parameter names"? Maybe, I am missing something >> here... >> >> ~~ >> # m. >> >> >> On Thu, Mar 28, 2013 at 8:06 PM, Karel Marhoul <rez...@se... >> <mailto:rez...@se...>> wrote: >> >> Hello, >> >> yes '*' works, but I have to put it behind parameter's name manually. >> I >> wish there was an option to tell sqlmap to automatically try SQLi not >> only inside parameter values but also inside parameter names. Is is >> possible to add such functionality? >> >> Kind Regards >> >> Karel Marhoul >> >> On 28.3.2013 15:41, Miroslav Stampar wrote: >> > Hi. >> > >> > Just use custom injection mark character. >> > >> > For example: >> > >> > python sqlmap.py -u "http://www.target.com/vuln.**php?id*=1<http://www.target.com/vuln.php?id*=1> >> " >> > >> > will try to inject into the parameter name id. >> > >> > Kind regards, >> > Miroslav Stampar >> > >> > On Wed, Mar 27, 2013 at 11:02 AM, a a <rez...@se... >> <mailto:rez...@se...> >> > <mailto:rez...@se... <mailto:rez...@se...>>**> >> wrote: >> > >> > Hello, >> > >> > During one assessment I have found the web application that is >> > vulnerable to >> > the SQL injection not in parameter values but in parameter >> names itself. >> > >> > This is something sqlmap is unable to find. Is it possible to >> add such >> > functionality (e.g. by optional parameter) to sqlmap? >> > >> > Regards >> > >> > Karel Marhoul >> > >> > >> ------------------------------**------------------------------** >> ------------------ >> > Own the Future-Intel® Level Up Game Demo Contest 2013 >> > Rise to greatness in Intel's independent game demo contest. >> > Compete for recognition, cash, and the chance to get your game >> > on Steam. $5K grand prize plus 10 genre and skill prizes. >> > Submit your demo by 6/6/13. http://p.sf.net/sfu/intel_** >> levelupd2d <http://p.sf.net/sfu/intel_levelupd2d> >> > ______________________________**_________________ >> > sqlmap-users mailing list >> > sqlmap-users@lists.**sourceforge.net<sql...@li...> >> <mailto:sqlmap-users@lists.**sourceforge.net<sql...@li...> >> > >> > <mailto:sqlmap-users@lists.**sourceforge.net<sql...@li...> >> >> <mailto:sqlmap-users@lists.**sourceforge.net<sql...@li...> >> >> >> > https://lists.sourceforge.net/**lists/listinfo/sqlmap-users<https://lists.sourceforge.net/lists/listinfo/sqlmap-users> >> > >> > >> > >> > >> > -- >> > Miroslav Stampar >> > http://about.me/stamparm >> >> >> ------------------------------**------------------------------** >> ------------------ >> Own the Future-Intel(R) Level Up Game Demo Contest 2013 >> Rise to greatness in Intel's independent game demo contest. Compete >> for recognition, cash, and the chance to get your game on Steam. >> $5K grand prize plus 10 genre and skill prizes. Submit your demo >> by 6/6/13. http://altfarm.mediaplex.com/**ad/ck/12124-176961-30367-2<http://altfarm.mediaplex.com/ad/ck/12124-176961-30367-2> >> ______________________________**_________________ >> sqlmap-users mailing list >> sqlmap-users@lists.**sourceforge.net<sql...@li...> >> <mailto:sqlmap-users@lists.**sourceforge.net<sql...@li...> >> > >> https://lists.sourceforge.net/**lists/listinfo/sqlmap-users<https://lists.sourceforge.net/lists/listinfo/sqlmap-users> >> >> >> > |
|
From: Miroslav S. <mir...@gm...> - 2013-03-31 20:26:51
|
Hi Karel. This is one of those requests that are in need of a new option/switch among hundreds of others, where we need to reject because of an easy around solution. I would not say a thing if this would be used in decent percentage of runs. Kind regards, Miroslav Stampar On Mar 31, 2013 9:58 PM, "Karel Marhoul" <rez...@se...> wrote: > Ok, let's have for example following URL: > > http://example.com/?name1=value1&name2=value2&name3=value3 > > If I do something like this: > > sqlmap -u http://example.com/?name1=value1&name2=value2&name3=value3 > > sqlmap wil try inject payloads into parameter values, server headers, > cookies and so on, but NOT into parameter names. > > Proposed parameter should work similar to this: > > sqlmap --inject-names -u > http://example.com/?name1=value1&name2=value2&name3=value3 > > And sqlmap will AUTOMATICALLY try to inject payload also into parameter > names. > > Why I want this parameter instead of manually inserting '*' symbol? > Because I often use sqlmap in conjunction with burp, where I take burp's > log and give it to sqlmap for testing (via -l parameter). In this > scenario, it would be painful to insert '*' after each parameter name. > > I hope I expressed it clear:) > > Best regards and happy easter > > Karel Marhoul > > On 31.3.2013 0:11, mitchell wrote: > > So you have an option to inject wherever you want, but you want another > > option to inject "inside parameter names"? Maybe, I am missing something > > here... > > > > ~~ > > # m. > > > > > > On Thu, Mar 28, 2013 at 8:06 PM, Karel Marhoul <rez...@se... > > <mailto:rez...@se...>> wrote: > > > > Hello, > > > > yes '*' works, but I have to put it behind parameter's name > manually. I > > wish there was an option to tell sqlmap to automatically try SQLi not > > only inside parameter values but also inside parameter names. Is is > > possible to add such functionality? > > > > Kind Regards > > > > Karel Marhoul > > > > On 28.3.2013 15:41, Miroslav Stampar wrote: > > > Hi. > > > > > > Just use custom injection mark character. > > > > > > For example: > > > > > > python sqlmap.py -u "http://www.target.com/vuln.php?id*=1" > > > > > > will try to inject into the parameter name id. > > > > > > Kind regards, > > > Miroslav Stampar > > > > > > On Wed, Mar 27, 2013 at 11:02 AM, a a <rez...@se... > > <mailto:rez...@se...> > > > <mailto:rez...@se... <mailto:rez...@se...>>> > wrote: > > > > > > Hello, > > > > > > During one assessment I have found the web application that is > > > vulnerable to > > > the SQL injection not in parameter values but in parameter > > names itself. > > > > > > This is something sqlmap is unable to find. Is it possible to > > add such > > > functionality (e.g. by optional parameter) to sqlmap? > > > > > > Regards > > > > > > Karel Marhoul > > > > > > > > > ------------------------------------------------------------------------------ > > > Own the Future-Intel® Level Up Game Demo Contest 2013 > > > Rise to greatness in Intel's independent game demo contest. > > > Compete for recognition, cash, and the chance to get your game > > > on Steam. $5K grand prize plus 10 genre and skill prizes. > > > Submit your demo by 6/6/13. > http://p.sf.net/sfu/intel_levelupd2d > > > _______________________________________________ > > > sqlmap-users mailing list > > > sql...@li... > > <mailto:sql...@li...> > > > <mailto:sql...@li... > > <mailto:sql...@li...>> > > > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > > > > > > > > > > > > > > > -- > > > Miroslav Stampar > > > http://about.me/stamparm > > > > > > > ------------------------------------------------------------------------------ > > Own the Future-Intel(R) Level Up Game Demo Contest 2013 > > Rise to greatness in Intel's independent game demo contest. Compete > > for recognition, cash, and the chance to get your game on Steam. > > $5K grand prize plus 10 genre and skill prizes. Submit your demo > > by 6/6/13. http://altfarm.mediaplex.com/ad/ck/12124-176961-30367-2 > > _______________________________________________ > > sqlmap-users mailing list > > sql...@li... > > <mailto:sql...@li...> > > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > > > > > > > > ------------------------------------------------------------------------------ > Own the Future-Intel(R) Level Up Game Demo Contest 2013 > Rise to greatness in Intel's independent game demo contest. Compete > for recognition, cash, and the chance to get your game on Steam. > $5K grand prize plus 10 genre and skill prizes. Submit your demo > by 6/6/13. http://altfarm.mediaplex.com/ad/ck/12124-176961-30367-2 > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > |
×
Want the latest updates on software, tech news, and AI?
Get latest updates about software, tech news, and AI from SourceForge directly in your inbox once a month.
Thanks for helping keep SourceForge clean.
X