At the moment, there is no way to inject into a JSON data unfortunately. The asterisk character is not yet supported in POST data. We will soon implement this.
Bernardo On 23 January 2012 10:39, Borja Berastegui <borjaberaste...@gmail.com> wrote: > Hi ! > > I've just found an injection via a JSON parameter which i've tested manually > and im trying to succeed with sqlmap. > > But I cant find the way to tell sqlmap where to inject. > > Via the --data parameter there is no way of tell where to inject like in the > URI injections with get and the * ? > > I've tried also by the --prefix and --suffix to complete the post data to > send, but this parameters got messed up with all the JSON quotes. Sqlmap > returns the error ''You havent especified the sufix''. > > Thanks for all ;) > > > ------------------------------------------------------------------------------ > Try before you buy = See our experts in action! > The most comprehensive online learning library for Microsoft developers > is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3, > Metro Style Apps, more. Free future releases when you subscribe now! > http://p.sf.net/sfu/learndevnow-dev2 > _______________________________________________ > sqlmap-users mailing list > sqlmap-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > -- Bernardo Damele A. G. Homepage: http://about.me/inquis E-mail / Jabber: bernardo.damele (at) gmail.com Mobile: +447788962949 (UK 07788962949) ------------------------------------------------------------------------------ Try before you buy = See our experts in action! The most comprehensive online learning library for Microsoft developers is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3, Metro Style Apps, more. Free future releases when you subscribe now! http://p.sf.net/sfu/learndevnow-dev2 _______________________________________________ sqlmap-users mailing list sqlmap-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/sqlmap-users
