hi Robin you'll need to give a valid Cookie with --cookie="....&ASP.NET_SessionId=1FA...&..." and use -p "ASP.NET_SessionId"
thing is that when level < 4 we ignore session-like parameters in default cases. so, either you can use explicit -p "ASP.NET_SessionId" or you can use --level=4. in your case i would suggest usage of -p. kr On Tue, Aug 2, 2011 at 2:41 PM, Robin Wood <ro...@digininja.org> wrote: > Hi > I've got an application that is vulnerable to SQLi in one of two > cookie parameters. The one that is injectable is the ASP.NET_SessionId > which has to start with a valid session id but then if given an extra > ' on the end it fails and dumps out a nice SQL error. > > So what I need to do is to tell sqlmap to inject onto the end of the > one cookie but leave the other intact. Is this possible? > > Robin > > ------------------------------------------------------------------------------ > BlackBerry® DevCon Americas, Oct. 18-20, San Francisco, CA > The must-attend event for mobile developers. Connect with experts. > Get tools for creating Super Apps. See the latest technologies. > Sessions, hands-on labs, demos & much more. Register early & save! > http://p.sf.net/sfu/rim-blackberry-1 > _______________________________________________ > sqlmap-users mailing list > sqlmap-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > -- Miroslav Stampar (@stamparm) E-mail: miroslav.stampar (at) gmail.com PGP Key ID: 0xB5397B1B ------------------------------------------------------------------------------ BlackBerry® DevCon Americas, Oct. 18-20, San Francisco, CA The must-attend event for mobile developers. Connect with experts. Get tools for creating Super Apps. See the latest technologies. Sessions, hands-on labs, demos & much more. Register early & save! http://p.sf.net/sfu/rim-blackberry-1 _______________________________________________ sqlmap-users mailing list sqlmap-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/sqlmap-users