So, if You input valid data, then it shows a page and if not (expression
evaluates to false) then blank?
Sounds like a typical blind injection. I wonder if You can match string
against header, so content-len:0 would work.
On 3/4/09, nein wanwan <nei...@gm...> wrote:
>
> Ahoy. Having a problem here couldn't think of any other place to ask for
> help so here I am.
>
> A couple days ago I was using sqlmap to verify a potential injection I had
> found earlier and was able to do some of the different enumerations
> successfully (current-user, current-db, etc).
>
> Anyway, the developers of said application came back in a day and said all
> the problems on the site were fixed (mmhmmm). Turns out all they did was
> remove the custom error page and instead now return a completely blank page
> with a Content-Length of zero. There are obviously no strings to match since
> there is no content...
>
> Basically is there a way to do regex/str matching on the response headers?
> Drawing a blank... maybe there are some other options that would fulfill my
> needs that I'm not seeing?
>
> Thanks.
>
>
> ------------------------------------------------------------------------------
> Open Source Business Conference (OSBC), March 24-25, 2009, San Francisco,
> CA
> -OSBC tackles the biggest issue in open source: Open Sourcing the
> Enterprise
> -Strategies to boost innovation and cut costs with open source
> participation
> -Receive a $600 discount off the registration fee with the source code:
> SFAD
> http://p.sf.net/sfu/XcvMzF8H
> _______________________________________________
> sqlmap-users mailing list
> sql...@li...
> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>
>
--
--
Konrads Smelkovs
Applied IT sorcery.
|
