hi David. we'll deal with both issues shortly (today or tomorrow) and keep you posted.
kr On Mon, May 23, 2011 at 5:17 PM, David Taylor <daves.not.here....@gmail.com> wrote: > Hi all, > I am new to the list, so can I first say a massive thank you to everybody > that has contributed to the development of this tool; it is awesome. > I have come across a couple of issues with the current version of the tool. > First, trailing whitespace seems to be stripped from the end of --suffix > parameters. I have a blind injection point that requires " -- " as a > terminator. If I give the tool --suffix " -- ", this gets turned into > "%20--" in the injection, which doesn't work since the trailing space is > missing. I've worked around this by appending some extra non-space > characters (--suffix " -- xx"), which works, but shouldn't be necessary. > And second, I don't quite understand how the redirect handling works. The > same blind injection point I mention above is on a login page. If I don't > try to inject, or if the injection equates to false, I get a HTTP 200 return > code, with a "login failed" message. If the injection equates to true, the > application 302's me to another page. > I get the message "sqlmap got a 302 redirect to...", asking me if I want to > re-target. In this instance, I don't want to choose a new target. I know > the bsql vuln exists; I just want to use sqlmap to leverage it. However if > I hit enter to select the default (keep same target), sqlmap doesn't detect > the injection point. > I have also tried providing a --string parameter, but this doesn't affect > the result. > Could we please have some way to blindly follow redirects, and compare the > eventual result page to that retrieved for other injections? > Thanks again, > Dave > ------------------------------------------------------------------------------ > What Every C/C++ and Fortran developer Should Know! > Read this article and learn how Intel has extended the reach of its > next-generation tools to help Windows* and Linux* C/C++ and Fortran > developers boost performance applications - including clusters. > http://p.sf.net/sfu/intel-dev2devmay > _______________________________________________ > sqlmap-users mailing list > sqlmap-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > > -- Miroslav Stampar E-mail: miroslav.stampar (at) gmail.com PGP Key ID: 0xB5397B1B ------------------------------------------------------------------------------ What Every C/C++ and Fortran developer Should Know! Read this article and learn how Intel has extended the reach of its next-generation tools to help Windows* and Linux* C/C++ and Fortran developers boost performance applications - including clusters. http://p.sf.net/sfu/intel-dev2devmay _______________________________________________ sqlmap-users mailing list sqlmap-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/sqlmap-users
