Thread: [sqlmap-users] --skip-urlencode forcing content type to text/plain
Brought to you by:
inquisb
Menu
▾
▴
sqlmap-users
|
From: Brandon P. <bpe...@gm...> - 2015-10-17 02:32:17
|
I tracked it down to ./lib/request/connect.py, line 726. contentType = POST_HINT_CONTENT_TYPES.get(kb.postHint, PLAIN_TEXT_CONTENT_TYPE) I am specifying a content type explicitly with —headers, so commenting this line out allowed sqlmap to detect the injections (the server returns 50x if the content type isn't right). Not sure what the correct solution is to this, as I understand the intent. Would this be more useful as a github issue? |
|
From: Miroslav S. <mir...@gm...> - 2015-10-18 09:35:51
|
Will patch it later today. Bye On Oct 17, 2015 04:32, "Brandon Perry" <bpe...@gm...> wrote: > I tracked it down to ./lib/request/connect.py, line 726. > > contentType = POST_HINT_CONTENT_TYPES.get(kb.postHint, > PLAIN_TEXT_CONTENT_TYPE) > > I am specifying a content type explicitly with —headers, so commenting > this line out allowed sqlmap to detect the injections (the server returns > 50x if the content type isn't right). > > Not sure what the correct solution is to this, as I understand the intent. > Would this be more useful as a github issue? > > ------------------------------------------------------------------------------ > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > |
|
From: Miroslav S. <mir...@gm...> - 2015-10-19 11:37:21
|
Hi Brandon. Sorry for late reply. It goes like this. Your header value for content-type should be propagated/used, even in this case, in all cases THAN one. If you use --skip-urlencode and you (or your request file) state that the content-type should be "urlencoded" sqlmap forces switch to either the "recognized" (e.g. json, xml,...) or the "plain". So, that line that you've pinpointed will be triggered only in described situation. Can you please describe what are you trying to accomplish? I believe that you are trying to leave some parts (non-payload) url encoded, while you want payload to not be url encoded. Bye On Sun, Oct 18, 2015 at 11:35 AM, Miroslav Stampar < mir...@gm...> wrote: > Will patch it later today. > > Bye > On Oct 17, 2015 04:32, "Brandon Perry" <bpe...@gm...> wrote: > >> I tracked it down to ./lib/request/connect.py, line 726. >> >> contentType = POST_HINT_CONTENT_TYPES.get(kb.postHint, >> PLAIN_TEXT_CONTENT_TYPE) >> >> I am specifying a content type explicitly with —headers, so commenting >> this line out allowed sqlmap to detect the injections (the server returns >> 50x if the content type isn't right). >> >> Not sure what the correct solution is to this, as I understand the >> intent. Would this be more useful as a github issue? >> >> ------------------------------------------------------------------------------ >> _______________________________________________ >> sqlmap-users mailing list >> sql...@li... >> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >> > -- Miroslav Stampar http://about.me/stamparm |
|
From: Brandon P. <bpe...@gm...> - 2015-10-19 14:00:09
|
The actual request is a SOAP payload, which requires a content type of XML, and no URL encoding (which, if performed, returns a 50x). On Mon, Oct 19, 2015 at 6:37 AM, Miroslav Stampar < mir...@gm...> wrote: > Hi Brandon. > > Sorry for late reply. It goes like this. > > Your header value for content-type should be propagated/used, even in this > case, in all cases THAN one. > > If you use --skip-urlencode and you (or your request file) state that the > content-type should be "urlencoded" sqlmap forces switch to either the > "recognized" (e.g. json, xml,...) or the "plain". So, that line that you've > pinpointed will be triggered only in described situation. > > Can you please describe what are you trying to accomplish? I believe that > you are trying to leave some parts (non-payload) url encoded, while you > want payload to not be url encoded. > > Bye > > On Sun, Oct 18, 2015 at 11:35 AM, Miroslav Stampar < > mir...@gm...> wrote: > >> Will patch it later today. >> >> Bye >> On Oct 17, 2015 04:32, "Brandon Perry" <bpe...@gm...> wrote: >> >>> I tracked it down to ./lib/request/connect.py, line 726. >>> >>> contentType = POST_HINT_CONTENT_TYPES.get(kb.postHint, >>> PLAIN_TEXT_CONTENT_TYPE) >>> >>> I am specifying a content type explicitly with —headers, so commenting >>> this line out allowed sqlmap to detect the injections (the server returns >>> 50x if the content type isn't right). >>> >>> Not sure what the correct solution is to this, as I understand the >>> intent. Would this be more useful as a github issue? >>> >>> ------------------------------------------------------------------------------ >>> _______________________________________________ >>> sqlmap-users mailing list >>> sql...@li... >>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >>> >> > > > -- > Miroslav Stampar > http://about.me/stamparm > -- http://volatile-minds.blogspot.com -- blog http://www.volatileminds.net -- website |
|
From: Miroslav S. <mir...@gm...> - 2015-10-19 14:02:39
|
Hi. But sqlmap should automatically skip the url encoding of such request bodies if the content-type has been set to the proper value from start (or if there was no content-type from the beginning). Can you please send a sample request file and/or used sqlmap options. Bye On Mon, Oct 19, 2015 at 4:00 PM, Brandon Perry <bpe...@gm...> wrote: > The actual request is a SOAP payload, which requires a content type of > XML, and no URL encoding (which, if performed, returns a 50x). > > On Mon, Oct 19, 2015 at 6:37 AM, Miroslav Stampar < > mir...@gm...> wrote: > >> Hi Brandon. >> >> Sorry for late reply. It goes like this. >> >> Your header value for content-type should be propagated/used, even in >> this case, in all cases THAN one. >> >> If you use --skip-urlencode and you (or your request file) state that the >> content-type should be "urlencoded" sqlmap forces switch to either the >> "recognized" (e.g. json, xml,...) or the "plain". So, that line that you've >> pinpointed will be triggered only in described situation. >> >> Can you please describe what are you trying to accomplish? I believe that >> you are trying to leave some parts (non-payload) url encoded, while you >> want payload to not be url encoded. >> >> Bye >> >> On Sun, Oct 18, 2015 at 11:35 AM, Miroslav Stampar < >> mir...@gm...> wrote: >> >>> Will patch it later today. >>> >>> Bye >>> On Oct 17, 2015 04:32, "Brandon Perry" <bpe...@gm...> >>> wrote: >>> >>>> I tracked it down to ./lib/request/connect.py, line 726. >>>> >>>> contentType = POST_HINT_CONTENT_TYPES.get(kb.postHint, >>>> PLAIN_TEXT_CONTENT_TYPE) >>>> >>>> I am specifying a content type explicitly with —headers, so commenting >>>> this line out allowed sqlmap to detect the injections (the server returns >>>> 50x if the content type isn't right). >>>> >>>> Not sure what the correct solution is to this, as I understand the >>>> intent. Would this be more useful as a github issue? >>>> >>>> ------------------------------------------------------------------------------ >>>> _______________________________________________ >>>> sqlmap-users mailing list >>>> sql...@li... >>>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >>>> >>> >> >> >> -- >> Miroslav Stampar >> http://about.me/stamparm >> > > > > -- > http://volatile-minds.blogspot.com -- blog > http://www.volatileminds.net -- website > -- Miroslav Stampar http://about.me/stamparm |
|
From: Brandon P. <bpe...@gm...> - 2015-10-19 14:04:59
|
Yes, I can, but it will have to be when I get home this evening. FWIW, I am interacting with the sqlmap API, so not passing it a request file. I am building the SOAP XML programmatically, then setting it as the 'data' in the options (along with headers to specify text/xml and SOAPAction), with skipUrlEncode. On Mon, Oct 19, 2015 at 9:02 AM, Miroslav Stampar < mir...@gm...> wrote: > Hi. > > But sqlmap should automatically skip the url encoding of such request > bodies if the content-type has been set to the proper value from start (or > if there was no content-type from the beginning). > > Can you please send a sample request file and/or used sqlmap options. > > Bye > > On Mon, Oct 19, 2015 at 4:00 PM, Brandon Perry <bpe...@gm...> > wrote: > >> The actual request is a SOAP payload, which requires a content type of >> XML, and no URL encoding (which, if performed, returns a 50x). >> >> On Mon, Oct 19, 2015 at 6:37 AM, Miroslav Stampar < >> mir...@gm...> wrote: >> >>> Hi Brandon. >>> >>> Sorry for late reply. It goes like this. >>> >>> Your header value for content-type should be propagated/used, even in >>> this case, in all cases THAN one. >>> >>> If you use --skip-urlencode and you (or your request file) state that >>> the content-type should be "urlencoded" sqlmap forces switch to either the >>> "recognized" (e.g. json, xml,...) or the "plain". So, that line that you've >>> pinpointed will be triggered only in described situation. >>> >>> Can you please describe what are you trying to accomplish? I believe >>> that you are trying to leave some parts (non-payload) url encoded, while >>> you want payload to not be url encoded. >>> >>> Bye >>> >>> On Sun, Oct 18, 2015 at 11:35 AM, Miroslav Stampar < >>> mir...@gm...> wrote: >>> >>>> Will patch it later today. >>>> >>>> Bye >>>> On Oct 17, 2015 04:32, "Brandon Perry" <bpe...@gm...> >>>> wrote: >>>> >>>>> I tracked it down to ./lib/request/connect.py, line 726. >>>>> >>>>> contentType = POST_HINT_CONTENT_TYPES.get(kb.postHint, >>>>> PLAIN_TEXT_CONTENT_TYPE) >>>>> >>>>> I am specifying a content type explicitly with —headers, so commenting >>>>> this line out allowed sqlmap to detect the injections (the server returns >>>>> 50x if the content type isn't right). >>>>> >>>>> Not sure what the correct solution is to this, as I understand the >>>>> intent. Would this be more useful as a github issue? >>>>> >>>>> ------------------------------------------------------------------------------ >>>>> _______________________________________________ >>>>> sqlmap-users mailing list >>>>> sql...@li... >>>>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >>>>> >>>> >>> >>> >>> -- >>> Miroslav Stampar >>> http://about.me/stamparm >>> >> >> >> >> -- >> http://volatile-minds.blogspot.com -- blog >> http://www.volatileminds.net -- website >> > > > > -- > Miroslav Stampar > http://about.me/stamparm > -- http://volatile-minds.blogspot.com -- blog http://www.volatileminds.net -- website |
|
From: Miroslav S. <mir...@gm...> - 2015-10-19 14:41:32
|
I really can't enforce this behavior. Waiting for your sample. Bye On Mon, Oct 19, 2015 at 4:04 PM, Brandon Perry <bpe...@gm...> wrote: > Yes, I can, but it will have to be when I get home this evening. > > FWIW, I am interacting with the sqlmap API, so not passing it a request > file. I am building the SOAP XML programmatically, then setting it as the > 'data' in the options (along with headers to specify text/xml and > SOAPAction), with skipUrlEncode. > > On Mon, Oct 19, 2015 at 9:02 AM, Miroslav Stampar < > mir...@gm...> wrote: > >> Hi. >> >> But sqlmap should automatically skip the url encoding of such request >> bodies if the content-type has been set to the proper value from start (or >> if there was no content-type from the beginning). >> >> Can you please send a sample request file and/or used sqlmap options. >> >> Bye >> >> On Mon, Oct 19, 2015 at 4:00 PM, Brandon Perry <bpe...@gm... >> > wrote: >> >>> The actual request is a SOAP payload, which requires a content type of >>> XML, and no URL encoding (which, if performed, returns a 50x). >>> >>> On Mon, Oct 19, 2015 at 6:37 AM, Miroslav Stampar < >>> mir...@gm...> wrote: >>> >>>> Hi Brandon. >>>> >>>> Sorry for late reply. It goes like this. >>>> >>>> Your header value for content-type should be propagated/used, even in >>>> this case, in all cases THAN one. >>>> >>>> If you use --skip-urlencode and you (or your request file) state that >>>> the content-type should be "urlencoded" sqlmap forces switch to either the >>>> "recognized" (e.g. json, xml,...) or the "plain". So, that line that you've >>>> pinpointed will be triggered only in described situation. >>>> >>>> Can you please describe what are you trying to accomplish? I believe >>>> that you are trying to leave some parts (non-payload) url encoded, while >>>> you want payload to not be url encoded. >>>> >>>> Bye >>>> >>>> On Sun, Oct 18, 2015 at 11:35 AM, Miroslav Stampar < >>>> mir...@gm...> wrote: >>>> >>>>> Will patch it later today. >>>>> >>>>> Bye >>>>> On Oct 17, 2015 04:32, "Brandon Perry" <bpe...@gm...> >>>>> wrote: >>>>> >>>>>> I tracked it down to ./lib/request/connect.py, line 726. >>>>>> >>>>>> contentType = POST_HINT_CONTENT_TYPES.get(kb.postHint, >>>>>> PLAIN_TEXT_CONTENT_TYPE) >>>>>> >>>>>> I am specifying a content type explicitly with —headers, so >>>>>> commenting this line out allowed sqlmap to detect the injections (the >>>>>> server returns 50x if the content type isn't right). >>>>>> >>>>>> Not sure what the correct solution is to this, as I understand the >>>>>> intent. Would this be more useful as a github issue? >>>>>> >>>>>> ------------------------------------------------------------------------------ >>>>>> _______________________________________________ >>>>>> sqlmap-users mailing list >>>>>> sql...@li... >>>>>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >>>>>> >>>>> >>>> >>>> >>>> -- >>>> Miroslav Stampar >>>> http://about.me/stamparm >>>> >>> >>> >>> >>> -- >>> http://volatile-minds.blogspot.com -- blog >>> http://www.volatileminds.net -- website >>> >> >> >> >> -- >> Miroslav Stampar >> http://about.me/stamparm >> > > > > -- > http://volatile-minds.blogspot.com -- blog > http://www.volatileminds.net -- website > -- Miroslav Stampar http://about.me/stamparm |
|
From: Brandon P. <bpe...@gm...> - 2015-10-19 17:05:51
|
Just curious, how do you expect a user to set a specific content type? Is there are argument I am missing, or is --headers the expected way? On Mon, Oct 19, 2015 at 9:41 AM, Miroslav Stampar < mir...@gm...> wrote: > I really can't enforce this behavior. Waiting for your sample. > > Bye > > On Mon, Oct 19, 2015 at 4:04 PM, Brandon Perry <bpe...@gm...> > wrote: > >> Yes, I can, but it will have to be when I get home this evening. >> >> FWIW, I am interacting with the sqlmap API, so not passing it a request >> file. I am building the SOAP XML programmatically, then setting it as the >> 'data' in the options (along with headers to specify text/xml and >> SOAPAction), with skipUrlEncode. >> >> On Mon, Oct 19, 2015 at 9:02 AM, Miroslav Stampar < >> mir...@gm...> wrote: >> >>> Hi. >>> >>> But sqlmap should automatically skip the url encoding of such request >>> bodies if the content-type has been set to the proper value from start (or >>> if there was no content-type from the beginning). >>> >>> Can you please send a sample request file and/or used sqlmap options. >>> >>> Bye >>> >>> On Mon, Oct 19, 2015 at 4:00 PM, Brandon Perry < >>> bpe...@gm...> wrote: >>> >>>> The actual request is a SOAP payload, which requires a content type of >>>> XML, and no URL encoding (which, if performed, returns a 50x). >>>> >>>> On Mon, Oct 19, 2015 at 6:37 AM, Miroslav Stampar < >>>> mir...@gm...> wrote: >>>> >>>>> Hi Brandon. >>>>> >>>>> Sorry for late reply. It goes like this. >>>>> >>>>> Your header value for content-type should be propagated/used, even in >>>>> this case, in all cases THAN one. >>>>> >>>>> If you use --skip-urlencode and you (or your request file) state that >>>>> the content-type should be "urlencoded" sqlmap forces switch to either the >>>>> "recognized" (e.g. json, xml,...) or the "plain". So, that line that you've >>>>> pinpointed will be triggered only in described situation. >>>>> >>>>> Can you please describe what are you trying to accomplish? I believe >>>>> that you are trying to leave some parts (non-payload) url encoded, while >>>>> you want payload to not be url encoded. >>>>> >>>>> Bye >>>>> >>>>> On Sun, Oct 18, 2015 at 11:35 AM, Miroslav Stampar < >>>>> mir...@gm...> wrote: >>>>> >>>>>> Will patch it later today. >>>>>> >>>>>> Bye >>>>>> On Oct 17, 2015 04:32, "Brandon Perry" <bpe...@gm...> >>>>>> wrote: >>>>>> >>>>>>> I tracked it down to ./lib/request/connect.py, line 726. >>>>>>> >>>>>>> contentType = POST_HINT_CONTENT_TYPES.get(kb.postHint, >>>>>>> PLAIN_TEXT_CONTENT_TYPE) >>>>>>> >>>>>>> I am specifying a content type explicitly with —headers, so >>>>>>> commenting this line out allowed sqlmap to detect the injections (the >>>>>>> server returns 50x if the content type isn't right). >>>>>>> >>>>>>> Not sure what the correct solution is to this, as I understand the >>>>>>> intent. Would this be more useful as a github issue? >>>>>>> >>>>>>> ------------------------------------------------------------------------------ >>>>>>> _______________________________________________ >>>>>>> sqlmap-users mailing list >>>>>>> sql...@li... >>>>>>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >>>>>>> >>>>>> >>>>> >>>>> >>>>> -- >>>>> Miroslav Stampar >>>>> http://about.me/stamparm >>>>> >>>> >>>> >>>> >>>> -- >>>> http://volatile-minds.blogspot.com -- blog >>>> http://www.volatileminds.net -- website >>>> >>> >>> >>> >>> -- >>> Miroslav Stampar >>> http://about.me/stamparm >>> >> >> >> >> -- >> http://volatile-minds.blogspot.com -- blog >> http://www.volatileminds.net -- website >> > > > > -- > Miroslav Stampar > http://about.me/stamparm > -- http://volatile-minds.blogspot.com -- blog http://www.volatileminds.net -- website |
|
From: Miroslav S. <mir...@gm...> - 2015-10-19 17:08:53
|
Either through request file or headers. Otherwise, sqlmap automatically sets it based on recognized type (e.g. application/json for JSON) Bye On Oct 19, 2015 7:05 PM, "Brandon Perry" <bpe...@gm...> wrote: > Just curious, how do you expect a user to set a specific content type? Is > there are argument I am missing, or is --headers the expected way? > > On Mon, Oct 19, 2015 at 9:41 AM, Miroslav Stampar < > mir...@gm...> wrote: > >> I really can't enforce this behavior. Waiting for your sample. >> >> Bye >> >> On Mon, Oct 19, 2015 at 4:04 PM, Brandon Perry <bpe...@gm... >> > wrote: >> >>> Yes, I can, but it will have to be when I get home this evening. >>> >>> FWIW, I am interacting with the sqlmap API, so not passing it a request >>> file. I am building the SOAP XML programmatically, then setting it as the >>> 'data' in the options (along with headers to specify text/xml and >>> SOAPAction), with skipUrlEncode. >>> >>> On Mon, Oct 19, 2015 at 9:02 AM, Miroslav Stampar < >>> mir...@gm...> wrote: >>> >>>> Hi. >>>> >>>> But sqlmap should automatically skip the url encoding of such request >>>> bodies if the content-type has been set to the proper value from start (or >>>> if there was no content-type from the beginning). >>>> >>>> Can you please send a sample request file and/or used sqlmap options. >>>> >>>> Bye >>>> >>>> On Mon, Oct 19, 2015 at 4:00 PM, Brandon Perry < >>>> bpe...@gm...> wrote: >>>> >>>>> The actual request is a SOAP payload, which requires a content type of >>>>> XML, and no URL encoding (which, if performed, returns a 50x). >>>>> >>>>> On Mon, Oct 19, 2015 at 6:37 AM, Miroslav Stampar < >>>>> mir...@gm...> wrote: >>>>> >>>>>> Hi Brandon. >>>>>> >>>>>> Sorry for late reply. It goes like this. >>>>>> >>>>>> Your header value for content-type should be propagated/used, even in >>>>>> this case, in all cases THAN one. >>>>>> >>>>>> If you use --skip-urlencode and you (or your request file) state that >>>>>> the content-type should be "urlencoded" sqlmap forces switch to either the >>>>>> "recognized" (e.g. json, xml,...) or the "plain". So, that line that you've >>>>>> pinpointed will be triggered only in described situation. >>>>>> >>>>>> Can you please describe what are you trying to accomplish? I believe >>>>>> that you are trying to leave some parts (non-payload) url encoded, while >>>>>> you want payload to not be url encoded. >>>>>> >>>>>> Bye >>>>>> >>>>>> On Sun, Oct 18, 2015 at 11:35 AM, Miroslav Stampar < >>>>>> mir...@gm...> wrote: >>>>>> >>>>>>> Will patch it later today. >>>>>>> >>>>>>> Bye >>>>>>> On Oct 17, 2015 04:32, "Brandon Perry" <bpe...@gm...> >>>>>>> wrote: >>>>>>> >>>>>>>> I tracked it down to ./lib/request/connect.py, line 726. >>>>>>>> >>>>>>>> contentType = POST_HINT_CONTENT_TYPES.get(kb.postHint, >>>>>>>> PLAIN_TEXT_CONTENT_TYPE) >>>>>>>> >>>>>>>> I am specifying a content type explicitly with —headers, so >>>>>>>> commenting this line out allowed sqlmap to detect the injections (the >>>>>>>> server returns 50x if the content type isn't right). >>>>>>>> >>>>>>>> Not sure what the correct solution is to this, as I understand the >>>>>>>> intent. Would this be more useful as a github issue? >>>>>>>> >>>>>>>> ------------------------------------------------------------------------------ >>>>>>>> _______________________________________________ >>>>>>>> sqlmap-users mailing list >>>>>>>> sql...@li... >>>>>>>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >>>>>>>> >>>>>>> >>>>>> >>>>>> >>>>>> -- >>>>>> Miroslav Stampar >>>>>> http://about.me/stamparm >>>>>> >>>>> >>>>> >>>>> >>>>> -- >>>>> http://volatile-minds.blogspot.com -- blog >>>>> http://www.volatileminds.net -- website >>>>> >>>> >>>> >>>> >>>> -- >>>> Miroslav Stampar >>>> http://about.me/stamparm >>>> >>> >>> >>> >>> -- >>> http://volatile-minds.blogspot.com -- blog >>> http://www.volatileminds.net -- website >>> >> >> >> >> -- >> Miroslav Stampar >> http://about.me/stamparm >> > > > > -- > http://volatile-minds.blogspot.com -- blog > http://www.volatileminds.net -- website > |
|
From: Brandon P. <bpe...@gm...> - 2015-10-20 01:08:17
|
I am magically unable to reproduce this at the moment. If I end up seeing the behavior again, I will get more information to reproduce with. However, I did realize that I no longer actually need —skip-urlencode. At some point between when I last touched this code and now, POST request bodies are no longer URL encoded. In any case, sorry for the noise. > On Oct 19, 2015, at 12:08 PM, Miroslav Stampar <mir...@gm...> wrote: > > Either through request file or headers. Otherwise, sqlmap automatically sets it based on recognized type (e.g. application/json for JSON) > > Bye > > On Oct 19, 2015 7:05 PM, "Brandon Perry" <bpe...@gm... <mailto:bpe...@gm...>> wrote: > Just curious, how do you expect a user to set a specific content type? Is there are argument I am missing, or is --headers the expected way? > > On Mon, Oct 19, 2015 at 9:41 AM, Miroslav Stampar <mir...@gm... <mailto:mir...@gm...>> wrote: > I really can't enforce this behavior. Waiting for your sample. > > Bye > > On Mon, Oct 19, 2015 at 4:04 PM, Brandon Perry <bpe...@gm... <mailto:bpe...@gm...>> wrote: > Yes, I can, but it will have to be when I get home this evening. > > FWIW, I am interacting with the sqlmap API, so not passing it a request file. I am building the SOAP XML programmatically, then setting it as the 'data' in the options (along with headers to specify text/xml and SOAPAction), with skipUrlEncode. > > On Mon, Oct 19, 2015 at 9:02 AM, Miroslav Stampar <mir...@gm... <mailto:mir...@gm...>> wrote: > Hi. > > But sqlmap should automatically skip the url encoding of such request bodies if the content-type has been set to the proper value from start (or if there was no content-type from the beginning). > > Can you please send a sample request file and/or used sqlmap options. > > Bye > > On Mon, Oct 19, 2015 at 4:00 PM, Brandon Perry <bpe...@gm... <mailto:bpe...@gm...>> wrote: > The actual request is a SOAP payload, which requires a content type of XML, and no URL encoding (which, if performed, returns a 50x). > > On Mon, Oct 19, 2015 at 6:37 AM, Miroslav Stampar <mir...@gm... <mailto:mir...@gm...>> wrote: > Hi Brandon. > > Sorry for late reply. It goes like this. > > Your header value for content-type should be propagated/used, even in this case, in all cases THAN one. > > If you use --skip-urlencode and you (or your request file) state that the content-type should be "urlencoded" sqlmap forces switch to either the "recognized" (e.g. json, xml,...) or the "plain". So, that line that you've pinpointed will be triggered only in described situation. > > Can you please describe what are you trying to accomplish? I believe that you are trying to leave some parts (non-payload) url encoded, while you want payload to not be url encoded. > > Bye > > On Sun, Oct 18, 2015 at 11:35 AM, Miroslav Stampar <mir...@gm... <mailto:mir...@gm...>> wrote: > Will patch it later today. > > Bye > > On Oct 17, 2015 04:32, "Brandon Perry" <bpe...@gm... <mailto:bpe...@gm...>> wrote: > I tracked it down to ./lib/request/connect.py, line 726. > > contentType = POST_HINT_CONTENT_TYPES.get(kb.postHint, PLAIN_TEXT_CONTENT_TYPE) > > I am specifying a content type explicitly with —headers, so commenting this line out allowed sqlmap to detect the injections (the server returns 50x if the content type isn't right). > > Not sure what the correct solution is to this, as I understand the intent. Would this be more useful as a github issue? > ------------------------------------------------------------------------------ > _______________________________________________ > sqlmap-users mailing list > sql...@li... <mailto:sql...@li...> > https://lists.sourceforge.net/lists/listinfo/sqlmap-users <https://lists.sourceforge.net/lists/listinfo/sqlmap-users> > > > > -- > Miroslav Stampar > http://about.me/stamparm <http://about.me/stamparm> > > > -- > http://volatile-minds.blogspot.com <http://volatile-minds.blogspot.com/> -- blog > http://www.volatileminds.net <http://www.volatileminds.net/> -- website > > > > -- > Miroslav Stampar > http://about.me/stamparm <http://about.me/stamparm> > > > -- > http://volatile-minds.blogspot.com <http://volatile-minds.blogspot.com/> -- blog > http://www.volatileminds.net <http://www.volatileminds.net/> -- website > > > > -- > Miroslav Stampar > http://about.me/stamparm <http://about.me/stamparm> > > > -- > http://volatile-minds.blogspot.com <http://volatile-minds.blogspot.com/> -- blog > http://www.volatileminds.net <http://www.volatileminds.net/> -- website |
×
Want the latest updates on software, tech news, and AI?
Get latest updates about software, tech news, and AI from SourceForge directly in your inbox once a month.
Thanks for helping keep SourceForge clean.
X