The developer uses -1 to say no menu should be shown, other values have
specific meaning. The suggestion to use %2d for the - sign seems to have
worked. I just found another such case for the _ character as part of a
parameter name.
I am a little surprised that it is assumed more likely that a person captured
the requests while doing manual injection testing than the application uses -
and _ symbols in their application. I guess using them is a bit of a security
measure :-)
SQLMap sure is a great tool and amazingly thorough. I am also pretty impressed
with the documentation, it is well written and covers most of what a beginner
would want to know. I appreciate it
Thanks!
Bob
----- Original Message -----
From: Miroslav Stampar
To: Bob Simonoff
Cc: sqlmap-users@lists.sourceforge.net
Sent: Sunday, December 11, 2011 3:37 AM
Subject: Re: [sqlmap-users] A incorrectly identified "tainted" parameter
Hi.
Thing is that in general negative parameter values are a leftover from manual
injection attempts causing problems in some cases. Hence the warning/error
message. Have you tried just to change that -1 value to 1 for ShowMenu
parameter?
Kind regards
On Dec 10, 2011 3:23 PM, "Bob Simonoff" <b...@simonofffamily.com> wrote:
I received this message:
[23:28:33] [CRITICAL] you have provided tainted parameter values
(ncmb%26ShowMenu=-1) with most probably leftover chars from manual sql
injection tests (;()') or non-valid numerical value. Please, always use only
valid parameter values so sqlmap could be able to do a valid run.
Here is a portion of the POSTed data that surrounds this parameter.
fhdn%260=&fhdn%26=&ncmb%26ShowMenu=-1&fhdn%26isYahooGobutton=N
The parameters were captured directly using burpsuite while I was running
the UI. I was performing no injection testing when this was captured. I looked
for each of the listed parameters in the posted data and they do not appear.
(note there are more parameters but I would rather send those privately if
possible).
I am running a recent svn extract of the dev stream (1.0)
Thanks
Bob
------------------------------------------------------------------------------
Learn Windows Azure Live! Tuesday, Dec 13, 2011
Microsoft is holding a special Learn Windows Azure training event for
developers. It will provide a great way to learn Windows Azure and what it
provides. You can attend the event by watching it streamed LIVE online.
Learn more at http://p.sf.net/sfu/ms-windowsazure
_______________________________________________
sqlmap-users mailing list
sqlmap-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/sqlmap-users
------------------------------------------------------------------------------
Learn Windows Azure Live! Tuesday, Dec 13, 2011
Microsoft is holding a special Learn Windows Azure training event for
developers. It will provide a great way to learn Windows Azure and what it
provides. You can attend the event by watching it streamed LIVE online.
Learn more at http://p.sf.net/sfu/ms-windowsazure
_______________________________________________
sqlmap-users mailing list
sqlmap-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/sqlmap-users
