hi Robin

you'll need to give a valid Cookie with
--cookie="....&ASP.NET_SessionId=1FA...&..." and use -p
"ASP.NET_SessionId"

thing is that when level < 4 we ignore session-like parameters in
default cases. so, either you can use explicit -p "ASP.NET_SessionId"
or you can use --level=4. in your case i would suggest usage of -p.

kr

On Tue, Aug 2, 2011 at 2:41 PM, Robin Wood <ro...@digininja.org> wrote:
> Hi
> I've got an application that is vulnerable to SQLi in one of two
> cookie parameters. The one that is injectable is the ASP.NET_SessionId
> which has to start with a valid session id but then if given an extra
> ' on the end it fails and dumps out a nice SQL error.
>
> So what I need to do is to tell sqlmap to inject onto the end of the
> one cookie but leave the other intact. Is this possible?
>
> Robin
>
> ------------------------------------------------------------------------------
> BlackBerry&reg; DevCon Americas, Oct. 18-20, San Francisco, CA
> The must-attend event for mobile developers. Connect with experts.
> Get tools for creating Super Apps. See the latest technologies.
> Sessions, hands-on labs, demos & much more. Register early & save!
> http://p.sf.net/sfu/rim-blackberry-1
> _______________________________________________
> sqlmap-users mailing list
> sqlmap-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>



-- 
Miroslav Stampar (@stamparm)

E-mail: miroslav.stampar (at) gmail.com
PGP Key ID: 0xB5397B1B

------------------------------------------------------------------------------
BlackBerry&reg; DevCon Americas, Oct. 18-20, San Francisco, CA
The must-attend event for mobile developers. Connect with experts. 
Get tools for creating Super Apps. See the latest technologies.
Sessions, hands-on labs, demos & much more. Register early & save!
http://p.sf.net/sfu/rim-blackberry-1
_______________________________________________
sqlmap-users mailing list
sqlmap-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/sqlmap-users

Reply via email to