hi David. basically, you are right.
default behavior should be to follow up the redirection. the real problem is that it wasn't a default thingy in "sqlmap got a 302 redirect to" and we all know that people just like to press Enter when running sqlmap and we like to make "dummy click-click yeaa" users :) will do some changes kr On Mon, May 23, 2011 at 9:59 PM, Miroslav Stampar <miroslav.stam...@gmail.com> wrote: > hi David. > > that suffix thingy should be fixed with the latest commit. please > retry and report back. > > about that 302. well, generally it works, but still, maybe it needs > little glancing up. it would be great if you could provide with some > more information (privately). > > kr > > On Mon, May 23, 2011 at 6:23 PM, Miroslav Stampar > <miroslav.stam...@gmail.com> wrote: >> hi David. >> >> we'll deal with both issues shortly (today or tomorrow) and keep you posted. >> >> kr >> >> On Mon, May 23, 2011 at 5:17 PM, David Taylor >> <daves.not.here....@gmail.com> wrote: >>> Hi all, >>> I am new to the list, so can I first say a massive thank you to everybody >>> that has contributed to the development of this tool; it is awesome. >>> I have come across a couple of issues with the current version of the tool. >>> First, trailing whitespace seems to be stripped from the end of --suffix >>> parameters. I have a blind injection point that requires " -- " as a >>> terminator. If I give the tool --suffix " -- ", this gets turned into >>> "%20--" in the injection, which doesn't work since the trailing space is >>> missing. I've worked around this by appending some extra non-space >>> characters (--suffix " -- xx"), which works, but shouldn't be necessary. >>> And second, I don't quite understand how the redirect handling works. The >>> same blind injection point I mention above is on a login page. If I don't >>> try to inject, or if the injection equates to false, I get a HTTP 200 return >>> code, with a "login failed" message. If the injection equates to true, the >>> application 302's me to another page. >>> I get the message "sqlmap got a 302 redirect to...", asking me if I want to >>> re-target. In this instance, I don't want to choose a new target. I know >>> the bsql vuln exists; I just want to use sqlmap to leverage it. However if >>> I hit enter to select the default (keep same target), sqlmap doesn't detect >>> the injection point. >>> I have also tried providing a --string parameter, but this doesn't affect >>> the result. >>> Could we please have some way to blindly follow redirects, and compare the >>> eventual result page to that retrieved for other injections? >>> Thanks again, >>> Dave >>> ------------------------------------------------------------------------------ >>> What Every C/C++ and Fortran developer Should Know! >>> Read this article and learn how Intel has extended the reach of its >>> next-generation tools to help Windows* and Linux* C/C++ and Fortran >>> developers boost performance applications - including clusters. >>> http://p.sf.net/sfu/intel-dev2devmay >>> _______________________________________________ >>> sqlmap-users mailing list >>> sqlmap-users@lists.sourceforge.net >>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >>> >>> >> >> >> >> -- >> Miroslav Stampar >> >> E-mail: miroslav.stampar (at) gmail.com >> PGP Key ID: 0xB5397B1B >> > > > > -- > Miroslav Stampar > > E-mail: miroslav.stampar (at) gmail.com > PGP Key ID: 0xB5397B1B > -- Miroslav Stampar E-mail: miroslav.stampar (at) gmail.com PGP Key ID: 0xB5397B1B ------------------------------------------------------------------------------ What Every C/C++ and Fortran developer Should Know! Read this article and learn how Intel has extended the reach of its next-generation tools to help Windows* and Linux* C/C++ and Fortran developers boost performance applications - including clusters. http://p.sf.net/sfu/intel-dev2devmay _______________________________________________ sqlmap-users mailing list sqlmap-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/sqlmap-users
