hi David. that suffix thingy should be fixed with the latest commit. please retry and report back.
about that 302. well, generally it works, but still, maybe it needs little glancing up. it would be great if you could provide with some more information (privately). kr On Mon, May 23, 2011 at 6:23 PM, Miroslav Stampar <miroslav.stam...@gmail.com> wrote: > hi David. > > we'll deal with both issues shortly (today or tomorrow) and keep you posted. > > kr > > On Mon, May 23, 2011 at 5:17 PM, David Taylor > <daves.not.here....@gmail.com> wrote: >> Hi all, >> I am new to the list, so can I first say a massive thank you to everybody >> that has contributed to the development of this tool; it is awesome. >> I have come across a couple of issues with the current version of the tool. >> First, trailing whitespace seems to be stripped from the end of --suffix >> parameters. I have a blind injection point that requires " -- " as a >> terminator. If I give the tool --suffix " -- ", this gets turned into >> "%20--" in the injection, which doesn't work since the trailing space is >> missing. I've worked around this by appending some extra non-space >> characters (--suffix " -- xx"), which works, but shouldn't be necessary. >> And second, I don't quite understand how the redirect handling works. The >> same blind injection point I mention above is on a login page. If I don't >> try to inject, or if the injection equates to false, I get a HTTP 200 return >> code, with a "login failed" message. If the injection equates to true, the >> application 302's me to another page. >> I get the message "sqlmap got a 302 redirect to...", asking me if I want to >> re-target. In this instance, I don't want to choose a new target. I know >> the bsql vuln exists; I just want to use sqlmap to leverage it. However if >> I hit enter to select the default (keep same target), sqlmap doesn't detect >> the injection point. >> I have also tried providing a --string parameter, but this doesn't affect >> the result. >> Could we please have some way to blindly follow redirects, and compare the >> eventual result page to that retrieved for other injections? >> Thanks again, >> Dave >> ------------------------------------------------------------------------------ >> What Every C/C++ and Fortran developer Should Know! >> Read this article and learn how Intel has extended the reach of its >> next-generation tools to help Windows* and Linux* C/C++ and Fortran >> developers boost performance applications - including clusters. >> http://p.sf.net/sfu/intel-dev2devmay >> _______________________________________________ >> sqlmap-users mailing list >> sqlmap-users@lists.sourceforge.net >> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >> >> > > > > -- > Miroslav Stampar > > E-mail: miroslav.stampar (at) gmail.com > PGP Key ID: 0xB5397B1B > -- Miroslav Stampar E-mail: miroslav.stampar (at) gmail.com PGP Key ID: 0xB5397B1B ------------------------------------------------------------------------------ What Every C/C++ and Fortran developer Should Know! Read this article and learn how Intel has extended the reach of its next-generation tools to help Windows* and Linux* C/C++ and Fortran developers boost performance applications - including clusters. http://p.sf.net/sfu/intel-dev2devmay _______________________________________________ sqlmap-users mailing list sqlmap-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/sqlmap-users
