hi David, again. could you please retry with the latest revision and report back.
we've done some changes which could improve the behaviour. kr On Mon, May 23, 2011 at 10:15 PM, Miroslav Stampar <miroslav.stam...@gmail.com> wrote: > hi David. > > basically, you are right. > > default behavior should be to follow up the redirection. > > the real problem is that it wasn't a default thingy in "sqlmap got a > 302 redirect to" and we all know that people just like to press Enter > when running sqlmap and we like to make "dummy click-click yeaa" users > :) > > will do some changes > > kr > > On Mon, May 23, 2011 at 9:59 PM, Miroslav Stampar > <miroslav.stam...@gmail.com> wrote: >> hi David. >> >> that suffix thingy should be fixed with the latest commit. please >> retry and report back. >> >> about that 302. well, generally it works, but still, maybe it needs >> little glancing up. it would be great if you could provide with some >> more information (privately). >> >> kr >> >> On Mon, May 23, 2011 at 6:23 PM, Miroslav Stampar >> <miroslav.stam...@gmail.com> wrote: >>> hi David. >>> >>> we'll deal with both issues shortly (today or tomorrow) and keep you posted. >>> >>> kr >>> >>> On Mon, May 23, 2011 at 5:17 PM, David Taylor >>> <daves.not.here....@gmail.com> wrote: >>>> Hi all, >>>> I am new to the list, so can I first say a massive thank you to everybody >>>> that has contributed to the development of this tool; it is awesome. >>>> I have come across a couple of issues with the current version of the tool. >>>> First, trailing whitespace seems to be stripped from the end of --suffix >>>> parameters. I have a blind injection point that requires " -- " as a >>>> terminator. If I give the tool --suffix " -- ", this gets turned into >>>> "%20--" in the injection, which doesn't work since the trailing space is >>>> missing. I've worked around this by appending some extra non-space >>>> characters (--suffix " -- xx"), which works, but shouldn't be necessary. >>>> And second, I don't quite understand how the redirect handling works. The >>>> same blind injection point I mention above is on a login page. If I don't >>>> try to inject, or if the injection equates to false, I get a HTTP 200 >>>> return >>>> code, with a "login failed" message. If the injection equates to true, the >>>> application 302's me to another page. >>>> I get the message "sqlmap got a 302 redirect to...", asking me if I want to >>>> re-target. In this instance, I don't want to choose a new target. I know >>>> the bsql vuln exists; I just want to use sqlmap to leverage it. However if >>>> I hit enter to select the default (keep same target), sqlmap doesn't detect >>>> the injection point. >>>> I have also tried providing a --string parameter, but this doesn't affect >>>> the result. >>>> Could we please have some way to blindly follow redirects, and compare the >>>> eventual result page to that retrieved for other injections? >>>> Thanks again, >>>> Dave >>>> ------------------------------------------------------------------------------ >>>> What Every C/C++ and Fortran developer Should Know! >>>> Read this article and learn how Intel has extended the reach of its >>>> next-generation tools to help Windows* and Linux* C/C++ and Fortran >>>> developers boost performance applications - including clusters. >>>> http://p.sf.net/sfu/intel-dev2devmay >>>> _______________________________________________ >>>> sqlmap-users mailing list >>>> sqlmap-users@lists.sourceforge.net >>>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >>>> >>>> >>> >>> >>> >>> -- >>> Miroslav Stampar >>> >>> E-mail: miroslav.stampar (at) gmail.com >>> PGP Key ID: 0xB5397B1B >>> >> >> >> >> -- >> Miroslav Stampar >> >> E-mail: miroslav.stampar (at) gmail.com >> PGP Key ID: 0xB5397B1B >> > > > > -- > Miroslav Stampar > > E-mail: miroslav.stampar (at) gmail.com > PGP Key ID: 0xB5397B1B > -- Miroslav Stampar E-mail: miroslav.stampar (at) gmail.com PGP Key ID: 0xB5397B1B ------------------------------------------------------------------------------ vRanger cuts backup time in half-while increasing security. With the market-leading solution for virtual backup and recovery, you get blazing-fast, flexible, and affordable data protection. Download your free trial now. http://p.sf.net/sfu/quest-d2dcopy1 _______________________________________________ sqlmap-users mailing list sqlmap-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/sqlmap-users
