Thread: [sqlmap-users] querystring?

Brought to you by: inquisb

This project can now be found here.

sqlmap-users

[sqlmap-users] querystring?

From: l.g. <lg...@gm...> - 2014-01-13 20:25:13

Hi!


I got the error

[CRITICAL] no parameter(s) found for testing in the provided data (e.
g. GET parameter 'id' in 'www.site.com/index.php?id=1')

is it possible that SQLMAP is intended for webapps which interact with the 
server thru queystrings only?

Thank you!

Re: [sqlmap-users] querystring?

From: Chris O. <chr...@gm...> - 2014-01-13 20:28:15

No, it can handle arbitrary injection points - if you're looking to test
e.g. RESTful style parameters then just place a * where you want to inject
- this is the custom injection point marker. - Chris


On 13 January 2014 17:42, l.g. <lg...@gm...> wrote:

> Hi!
>
>
> I got the error
>
> [CRITICAL] no parameter(s) found for testing in the provided data (e.
> g. GET parameter 'id' in 'www.site.com/index.php?id=1')
>
> is it possible that SQLMAP is intended for webapps which interact with the
> server thru queystrings only?
>
> Thank you!
>
>
>
> ------------------------------------------------------------------------------
> CenturyLink Cloud: The Leader in Enterprise Cloud Services.
> Learn Why More Businesses Are Choosing CenturyLink Cloud For
> Critical Workloads, Development Environments & Everything In Between.
> Get a Quote or Start a Free Trial Today.
>
> http://pubads.g.doubleclick.net/gampad/clk?id=119420431&iu=/4140/ostg.clktrk
> _______________________________________________
> sqlmap-users mailing list
> sql...@li...
> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>

Re: [sqlmap-users] querystring?

From: Douglas B. <dou...@gm...> - 2014-01-13 20:30:54

Have you tried using the parameter -p ?

 sqlmap -u "http://www.site.com/index.php?id=1" -p "id"

[ ]'s


2014/1/13 l.g. <lg...@gm...>

> Hi!
>
>
> I got the error
>
> [CRITICAL] no parameter(s) found for testing in the provided data (e.
> g. GET parameter 'id' in 'www.site.com/index.php?id=1')
>
> is it possible that SQLMAP is intended for webapps which interact with the
> server thru queystrings only?
>
> Thank you!
>
>
>
> ------------------------------------------------------------------------------
> CenturyLink Cloud: The Leader in Enterprise Cloud Services.
> Learn Why More Businesses Are Choosing CenturyLink Cloud For
> Critical Workloads, Development Environments & Everything In Between.
> Get a Quote or Start a Free Trial Today.
>
> http://pubads.g.doubleclick.net/gampad/clk?id=119420431&iu=/4140/ostg.clktrk
> _______________________________________________
> sqlmap-users mailing list
> sql...@li...
> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>



-- 
Douglas Brancaglion
Security Engineer

Re: [sqlmap-users] querystring?

From: l.g. <lg...@gm...> - 2014-01-13 21:56:57

Chris Oakley <christopher.oakley@...> writes:

> 
> 
> No, it can handle arbitrary injection points - if you're looking to test 
e.g. RESTful style parameters then just place a * where you want to inject - 
this is the custom injection point marker. - Chris
> 
> 
> On 13 January 2014 17:42, l.g. <lg1981-
Re5...@pu...> wrote:
> Hi!
> I got the error
> [CRITICAL] no parameter(s) found for testing in the provided data (e.
> g. GET parameter 'id' in 'www.site.com/index.php?id=1')
> is it possible that SQLMAP is intended for webapps which interact with the
> server thru queystrings only?
> Thank you!
> --------------------------------------------------------------------------
----
> CenturyLink Cloud: The Leader in Enterprise Cloud Services.
> Learn Why More Businesses Are Choosing CenturyLink Cloud For
> Critical Workloads, Development Environments & Everything In Between.
> Get a Quote or Start a Free Trial 
Today.http://pubads.g.doubleclick.net/gampad/clk?
id=119420431&iu=/4140/ostg.clktrk
> _______________________________________________
> sqlmap-users mailing listsqlmap-users-
5NW...@pu...https://lists.sourceforge.net/lists
/listinfo/sqlmap-users
> 
> 
> 
> 
> 
> 
> --------------------------------------------------------------------------
----
> CenturyLink Cloud: The Leader in Enterprise Cloud Services.
> Learn Why More Businesses Are Choosing CenturyLink Cloud For
> Critical Workloads, Development Environments & Everything In Between.
> Get a Quote or Start a Free Trial Today. 
> http://pubads.g.doubleclick.net/gampad/clk?
id=119420431&iu=/4140/ostg.clktrk
> 
> _______________________________________________
> sqlmap-users mailing list
> sqlmap-users@...
> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
> 
ok, but the params must be passed in the url, right? Or is there a way to 
inject, e.g., thru viewstate?
Thank you again

Re: [sqlmap-users] querystring?

From: hooshmand k <hoo...@gm...> - 2014-01-14 07:39:33

Hi,

It is not mandatory to inject via url. you can use other user input data
such as form fields, referrer address, user-agent, etc.
you can do this by change the "risk" and "level" options.

Best Regards

Re: [sqlmap-users] querystring?

From: Chris O. <chr...@gm...> - 2014-01-14 09:59:54

You can tell the program to inject anywhere.  If your injection point is in
a slightly weirder place (and, to be honest, even if it's not) then the
easiest thing to do is to save the HTTP request to a file, place a * where
you want the program to inject and use the -r command to point SQLMap at
the right request file. - Chris


On 14 January 2014 07:38, hooshmand k <hoo...@gm...> wrote:

> Hi,
>
> It is not mandatory to inject via url. you can use other user input data
> such as form fields, referrer address, user-agent, etc.
> you can do this by change the "risk" and "level" options.
>
> Best Regards
>
>
> ------------------------------------------------------------------------------
> CenturyLink Cloud: The Leader in Enterprise Cloud Services.
> Learn Why More Businesses Are Choosing CenturyLink Cloud For
> Critical Workloads, Development Environments & Everything In Between.
> Get a Quote or Start a Free Trial Today.
>
> http://pubads.g.doubleclick.net/gampad/clk?id=119420431&iu=/4140/ostg.clktrk
> _______________________________________________
> sqlmap-users mailing list
> sql...@li...
> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>
>

Re: [sqlmap-users] querystring?

From: Mattia V <so...@gm...> - 2014-01-14 11:45:06

Sorry to interrupt, but this is something I've been looking for for quite a
while.
Could you please point out an example of usage on how to inject to a custom
point that is not the url (e.g. a POST form)?
Thank you very much

On Tue, Jan 14, 2014 at 10:59 AM, Chris Oakley <chr...@gm...
> wrote:

> You can tell the program to inject anywhere.  If your injection point is
> in a slightly weirder place (and, to be honest, even if it's not) then the
> easiest thing to do is to save the HTTP request to a file, place a * where
> you want the program to inject and use the -r command to point SQLMap at
> the right request file. - Chris
>
>

Re: [sqlmap-users] querystring?

From: Chris O. <chr...@gm...> - 2014-01-14 11:58:44

I'd suggest having a look at the manual, it's very well documented.  if
you're simply looking to inject into POST parameters then you just need to
look at the --data option.  Beyond that, you can do some extremely exotic
injections.  SQLMap has had GET and POST parameters covered since forever.

There are plenty of ways you can go about this, but since you asked, an
example of injecting into a POST request might be something like -u "
http://www.example.com" --data "username=foo&password=bar" -p username -f
-b.  That example allows you to provide the full POST data, zone in on just
the username parameter and then fingerprint and banner grab as a basic
starting point.  You'll want to use a local proxy such as Burp Suite to get
full visibility of the traffic, it's all just about HTTP requests really.
For something as basic as a POST injection, you don't even need the custom
injection markers.


On 14 January 2014 11:45, Mattia V <so...@gm...> wrote:

> Sorry to interrupt, but this is something I've been looking for for quite
> a while.
> Could you please point out an example of usage on how to inject to a
> custom point that is not the url (e.g. a POST form)?
> Thank you very much
>
>
> On Tue, Jan 14, 2014 at 10:59 AM, Chris Oakley <
> chr...@gm...> wrote:
>
>> You can tell the program to inject anywhere.  If your injection point is
>> in a slightly weirder place (and, to be honest, even if it's not) then the
>> easiest thing to do is to save the HTTP request to a file, place a * where
>> you want the program to inject and use the -r command to point SQLMap at
>> the right request file. - Chris
>>
>>