Thread: [sqlmap-users] (no subject) (Page 3)
Brought to you by:
inquisb
Menu
▾
▴
sqlmap-users
|
From: a d. <deh...@gm...> - 2014-10-23 05:43:18
|
Hi Guys , Is Sqlmap able to send an array instead of string while injecting? Like situation we have html form and we want manually send post variable 'name' this way (value is obtained from array) : name="name[1 ;select * from users -- ] I want do it with Sqlmap , but how ? Regards dehqan |
|
From: Miroslav S. <mir...@gm...> - 2014-10-23 07:30:44
|
Hi. You need to put a custom injection mark * at the place where you want sqlmap to inject. For example: ...name[1*] Bye p.s. your example with SELECT is not a proper one as queries are usually not supported in stacking On Thu, Oct 23, 2014 at 7:43 AM, a dehqan <deh...@gm...> wrote: > Hi Guys , > > Is Sqlmap able to send an array instead of string while injecting? > > Like situation we have html form and we want manually send post variable > 'name' this way (value is obtained from array) : > > name="name[1 ;select * from users -- ] > > I want do it with Sqlmap , but how ? > > > Regards dehqan > -- Miroslav Stampar http://about.me/stamparm |
|
From: a d. <deh...@gm...> - 2014-10-23 12:15:06
|
Thanks man ;
I want to send an array with query in its index as value of "name" POST
variable .
Remember if i want inject it manually should try >
<input type="text" id="edit-name" name="name[1 ;UPDATE {users} SET pass=
'test123'; -- ]" value="" size="60" maxlength="60" class="form-text
required error">
So tried (sqlmap/1.0-dev) :
python sqlmap.py -u "http://localhost//?id=n&ssid=w"
--data="name[0*]=name" --risk=3 --flush-session --dbms=mysql
Sqlmap returns this error:
[WARNING] (custom) POST parameter '#1*' is not injectable
What does # mean here ?
And how to make it work under sqlmap ?
Regards
On Thu, Oct 23, 2014 at 11:00 AM, Miroslav Stampar <
mir...@gm...> wrote:
> Hi.
>
> You need to put a custom injection mark * at the place where you want
> sqlmap to inject. For example:
>
> ...name[1*]
>
> Bye
>
> p.s. your example with SELECT is not a proper one as queries are usually
> not supported in stacking
>
> On Thu, Oct 23, 2014 at 7:43 AM, a dehqan <deh...@gm...> wrote:
>
>> Hi Guys ,
>>
>> Is Sqlmap able to send an array instead of string while injecting?
>>
>> Like situation we have html form and we want manually send post variable
>> 'name' this way (value is obtained from array) :
>>
>> name="name[1 ;select * from users -- ]
>>
>> I want do it with Sqlmap , but how ?
>>
>>
>> Regards dehqan
>>
>
>
>
> --
> Miroslav Stampar
> http://about.me/stamparm
>
|
|
From: Ryan S. <rd...@mt...> - 2014-10-24 00:30:30
|
// Grrr, stupid gmail. Didn't reply-all first time :-P
Are you sure it's exploitable? Try upping the --level and --risk.
The #1* means the first * character you put into the --data parameter. It's
in lieu of saying something like "POST parameter 'derp' is not exploitable"
if you pass in --data="derp=testme" and ask it to test the "derp"
parameter.
Ryan
On Thu, Oct 23, 2014 at 5:14 AM, a dehqan <deh...@gm...> wrote:
> Thanks man ;
>
> I want to send an array with query in its index as value of "name" POST
> variable .
>
> Remember if i want inject it manually should try >
> <input type="text" id="edit-name" name="name[1 ;UPDATE {users} SET pass=
> 'test123'; -- ]" value="" size="60" maxlength="60" class="form-text
> required error">
>
> So tried (sqlmap/1.0-dev) :
>
> python sqlmap.py -u "http://localhost//?id=n&ssid=w"
> --data="name[0*]=name" --risk=3 --flush-session --dbms=mysql
>
>
> Sqlmap returns this error:
>
> [WARNING] (custom) POST parameter '#1*' is not injectable
>
> What does # mean here ?
>
> And how to make it work under sqlmap ?
>
> Regards
>
> On Thu, Oct 23, 2014 at 11:00 AM, Miroslav Stampar <
> mir...@gm...> wrote:
>
>> Hi.
>>
>> You need to put a custom injection mark * at the place where you want
>> sqlmap to inject. For example:
>>
>> ...name[1*]
>>
>> Bye
>>
>> p.s. your example with SELECT is not a proper one as queries are usually
>> not supported in stacking
>>
>> On Thu, Oct 23, 2014 at 7:43 AM, a dehqan <deh...@gm...> wrote:
>>
>>> Hi Guys ,
>>>
>>> Is Sqlmap able to send an array instead of string while injecting?
>>>
>>> Like situation we have html form and we want manually send post
>>> variable 'name' this way (value is obtained from array) :
>>>
>>> name="name[1 ;select * from users -- ]
>>>
>>> I want do it with Sqlmap , but how ?
>>>
>>>
>>> Regards dehqan
>>>
>>
>>
>>
>> --
>> Miroslav Stampar
>> http://about.me/stamparm
>>
>
>
>
> ------------------------------------------------------------------------------
>
> _______________________________________________
> sqlmap-users mailing list
> sql...@li...
> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>
>
|
|
From: a d. <deh...@gm...> - 2014-10-25 06:41:39
|
Hi
Thanks;
Yes of course it's exploitable .
As you see i have used --risk=3 before.
I think Sqlmap isn't able to handle it properly because there is custom
injection in name of parameter and also name is an array .
Any Opinion ?
Regards dehqan
On Fri, Oct 24, 2014 at 4:00 AM, Ryan Sears <rd...@mt...> wrote:
> // Grrr, stupid gmail. Didn't reply-all first time :-P
>
> Are you sure it's exploitable? Try upping the --level and --risk.
>
> The #1* means the first * character you put into the --data parameter.
> It's in lieu of saying something like "POST parameter 'derp' is not
> exploitable" if you pass in --data="derp=testme" and ask it to test the
> "derp" parameter.
>
> Ryan
>
> On Thu, Oct 23, 2014 at 5:14 AM, a dehqan <deh...@gm...> wrote:
>
>> Thanks man ;
>>
>> I want to send an array with query in its index as value of "name" POST
>> variable .
>>
>> Remember if i want inject it manually should try >
>> <input type="text" id="edit-name" name="name[1 ;UPDATE {users} SET pass=
>> 'test123'; -- ]" value="" size="60" maxlength="60" class="form-text
>> required error">
>>
>> So tried (sqlmap/1.0-dev) :
>>
>> python sqlmap.py -u "http://localhost//?id=n&ssid=w"
>> --data="name[0*]=name" --risk=3 --flush-session --dbms=mysql
>>
>>
>> Sqlmap returns this error:
>>
>> [WARNING] (custom) POST parameter '#1*' is not injectable
>>
>> What does # mean here ?
>>
>> And how to make it work under sqlmap ?
>>
>> Regards
>>
>> On Thu, Oct 23, 2014 at 11:00 AM, Miroslav Stampar <
>> mir...@gm...> wrote:
>>
>>> Hi.
>>>
>>> You need to put a custom injection mark * at the place where you want
>>> sqlmap to inject. For example:
>>>
>>> ...name[1*]
>>>
>>> Bye
>>>
>>> p.s. your example with SELECT is not a proper one as queries are usually
>>> not supported in stacking
>>>
>>> On Thu, Oct 23, 2014 at 7:43 AM, a dehqan <deh...@gm...> wrote:
>>>
>>>> Hi Guys ,
>>>>
>>>> Is Sqlmap able to send an array instead of string while injecting?
>>>>
>>>> Like situation we have html form and we want manually send post
>>>> variable 'name' this way (value is obtained from array) :
>>>>
>>>> name="name[1 ;select * from users -- ]
>>>>
>>>> I want do it with Sqlmap , but how ?
>>>>
>>>>
>>>> Regards dehqan
>>>>
>>>
>>>
>>>
>>> --
>>> Miroslav Stampar
>>> http://about.me/stamparm
>>>
>>
>>
>>
>> ------------------------------------------------------------------------------
>>
>> _______________________________________________
>> sqlmap-users mailing list
>> sql...@li...
>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>>
>>
>
|
|
From: Brandon P. <bpe...@gm...> - 2014-10-25 15:12:54
|
Nope, shouldn't have anything to do with it. How do you know it is exploitable? You also haven't tried upping the level with --level=5 which is different from risk
Sent from a computer
> On Oct 25, 2014, at 1:41 AM, a dehqan <deh...@gm...> wrote:
>
> Hi
>
>
> Thanks;
>
> Yes of course it's exploitable .
>
> As you see i have used --risk=3 before.
>
> I think Sqlmap isn't able to handle it properly because there is custom injection in name of parameter and also name is an array .
> Any Opinion ?
>
>
> Regards dehqan
>
>> On Fri, Oct 24, 2014 at 4:00 AM, Ryan Sears <rd...@mt...> wrote:
>> // Grrr, stupid gmail. Didn't reply-all first time :-P
>>
>> Are you sure it's exploitable? Try upping the --level and --risk.
>>
>> The #1* means the first * character you put into the --data parameter. It's in lieu of saying something like "POST parameter 'derp' is not exploitable" if you pass in --data="derp=testme" and ask it to test the "derp" parameter.
>>
>> Ryan
>>
>>> On Thu, Oct 23, 2014 at 5:14 AM, a dehqan <deh...@gm...> wrote:
>>> Thanks man ;
>>>
>>> I want to send an array with query in its index as value of "name" POST variable .
>>>
>>> Remember if i want inject it manually should try >
>>> <input type="text" id="edit-name" name="name[1 ;UPDATE {users} SET pass= 'test123'; -- ]" value="" size="60" maxlength="60" class="form-text required error">
>>>
>>> So tried (sqlmap/1.0-dev) :
>>>
>>> python sqlmap.py -u "http://localhost//?id=n&ssid=w" --data="name[0*]=name" --risk=3 --flush-session --dbms=mysql
>>>
>>>
>>> Sqlmap returns this error:
>>>
>>> [WARNING] (custom) POST parameter '#1*' is not injectable
>>>
>>> What does # mean here ?
>>>
>>> And how to make it work under sqlmap ?
>>>
>>> Regards
>>>
>>>> On Thu, Oct 23, 2014 at 11:00 AM, Miroslav Stampar <mir...@gm...> wrote:
>>>> Hi.
>>>>
>>>> You need to put a custom injection mark * at the place where you want sqlmap to inject. For example:
>>>>
>>>> ...name[1*]
>>>>
>>>> Bye
>>>>
>>>> p.s. your example with SELECT is not a proper one as queries are usually not supported in stacking
>>>>
>>>>> On Thu, Oct 23, 2014 at 7:43 AM, a dehqan <deh...@gm...> wrote:
>>>>> Hi Guys ,
>>>>>
>>>>> Is Sqlmap able to send an array instead of string while injecting?
>>>>>
>>>>> Like situation we have html form and we want manually send post variable 'name' this way (value is obtained from array) :
>>>>>
>>>>> name="name[1 ;select * from users -- ]
>>>>>
>>>>> I want do it with Sqlmap , but how ?
>>>>>
>>>>>
>>>>> Regards dehqan
>>>>
>>>>
>>>>
>>>> --
>>>> Miroslav Stampar
>>>> http://about.me/stamparm
>>>
>>>
>>> ------------------------------------------------------------------------------
>>>
>>> _______________________________________________
>>> sqlmap-users mailing list
>>> sql...@li...
>>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>>>
>>
>
> ------------------------------------------------------------------------------
> _______________________________________________
> sqlmap-users mailing list
> sql...@li...
> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
|
|
From: Gary M. <gar...@gm...> - 2016-11-23 10:31:59
|
|
From: Bernardo D. A. G. <ber...@gm...> - 2009-02-24 12:38:27
|
Hi Uran, It looks to me that you've some not UTF-8 compliant character in your file system path name or you accidentaly modified some of the file with a binary char. Cheers, Bernardo On Fri, Feb 13, 2009 at 11:56, Uran Thaçi <ura...@ku...> wrote: > Hello, > > I'm contacting you because regarding to the application, you are the founder > and wanted to notify about an error I just received. > > While executing sqlmap.exe -u sometarget , it gives the following error: > > sqlmap/0.6.4 coded by Bernardo Damele A. G. <ber...@gm...> > and Daniele Bellucci <dan...@gm...> > > [*] starting at: 12:53:32 > > [12:53:32] [ERROR] unhandled exception in sqlmap/0.6.4, please copy the > command > line and the following text and send by e-mail to > sql...@li...urceforge > .net. The developers will fix it as soon as possible: > sqlmap version: 0.6.4 > Python version: 2.5.4 > Operating system: win32 > Traceback (most recent call last): > File "sqlmap.py", line 78, in main > File "lib\core\option.pyc", line 771, in init > File "lib\parse\queriesfile.pyc", line 219, in queriesParser > File "xml\sax\__init__.pyc", line 33, in parse > File "xml\sax\expatreader.pyc", line 107, in parse > File "xml\sax\xmlreader.pyc", line 119, in parse > File "xml\sax\expatreader.pyc", line 111, in prepareParser > UnicodeEncodeError: 'ascii' codec can't encode character u'\xa0' in position > 28: > ordinal not in range(128) > > [*] shutting down at: 12:53:32 > > > Uran Thaqi, NOC > Network System Administrator > > Kujtesa Internet Services > Tel: +381 (0)38 542 170; 542 171; > Fax: +381 (0)38 549 761 > www.kujtesa.com > e-mail: ura...@ku... > ------------------------------------------------------------------------------ > Open Source Business Conference (OSBC), March 24-25, 2009, San Francisco, CA > -OSBC tackles the biggest issue in open source: Open Sourcing the Enterprise > -Strategies to boost innovation and cut costs with open source participation > -Receive a $600 discount off the registration fee with the source code: SFAD > http://p.sf.net/sfu/XcvMzF8H > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > > -- Bernardo Damele A. G. E-mail / Jabber: bernardo.damele (at) gmail.com Mobiles: +447788962949 (UK), +393493821385 (IT) PGP Key ID: 0x05F5A30F |
×
Want the latest updates on software, tech news, and AI?
Get latest updates about software, tech news, and AI from SourceForge directly in your inbox once a month.
Thanks for helping keep SourceForge clean.
X