Hi all,

I am new to the list, so can I first say a massive thank you to everybody
that has contributed to the development of this tool; it is awesome.

I have come across a couple of issues with the current version of the tool.

First, trailing whitespace seems to be stripped from the end of --suffix
parameters.  I have a blind injection point that requires " -- " as a
terminator.  If I give the tool --suffix " -- ", this gets turned into
"%20--" in the injection, which doesn't work since the trailing space is
missing.  I've worked around this by appending some extra non-space
characters (--suffix " -- xx"), which works, but shouldn't be necessary.

And second, I don't quite understand how the redirect handling works.  The
same blind injection point I mention above is on a login page.  If I don't
try to inject, or if the injection equates to false, I get a HTTP 200 return
code, with a "login failed" message.  If the injection equates to true, the
application 302's me to another page.
I get the message "sqlmap got a 302 redirect to...", asking me if I want to
re-target.  In this instance, I don't want to choose a new target.  I know
the bsql vuln exists; I just want to use sqlmap to leverage it.  However if
I hit enter to select the default (keep same target), sqlmap doesn't detect
the injection point.
I have also tried providing a --string parameter, but this doesn't affect
the result.
Could we please have some way to blindly follow redirects, and compare the
eventual result page to that retrieved for other injections?

Thanks again,
Dave
------------------------------------------------------------------------------
What Every C/C++ and Fortran developer Should Know!
Read this article and learn how Intel has extended the reach of its 
next-generation tools to help Windows* and Linux* C/C++ and Fortran 
developers boost performance applications - including clusters. 
http://p.sf.net/sfu/intel-dev2devmay
_______________________________________________
sqlmap-users mailing list
sqlmap-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/sqlmap-users

Reply via email to