On Fri, Apr 6, 2012 at 2:09 AM, Julia Wolf <jw...@fireeye.com> wrote:

> On Fri, 16 Mar 2012, Miroslav Stampar wrote:
>
>  After a through examination I believe that something other is screwed. In
>> your case "Host" header value is used for establishing origin of request
>>
> [...]
>
>  Now, I can't imagine how is this happening. Could you please send me
>> privately more information? What command line have you used (or
>> configuration file in your case)? Also, traffic file (or maybe a part of
>> it) would be great.
>>
>
>  Oops, I meant to get back to you sooner. Anyway, attached is the config
> file, and the beginnings and endings of the inputs and outputs.
>
>  Unrelated... I can't seem to get SQLMap to fully parse Burp logs. It says
>
> [19:13:04] [DEBUG] parsing targets list from '/home/jwolf/burpreq.log'
> [19:13:05] [INFO] sqlmap parsed 18 testable requests from the targets list
> [19:13:05] [INFO] sqlmap got a total of 18 targets
>
>  I know there's more than eighteen targets...
>

Hi.

Are you sure there are more than 18 targets with unique parameters inside?
That uniq says unique strings it found, but it doesn't go through parameter
names to see what can be exploited.

For example:
?a=1&b=2
?a=2&b=3
?a=3&b=4
?a=4&b=5

Uniq would tell you 4 here, but sqlmap counts number of GET/POST parameters
here which is only 2 (a and b)

Kind regards


>
> egrep "^GET|^POST" /home/jwolf/burpreq.log |sort | uniq |wc
>    262     786   15488
>
> grep "^Content-Type: application/x-www-form-**urlencoded"
> /home/jwolf/burpreq.log |wc
>    535    1545   33340
>



-- 
Miroslav Stampar
http://about.me/stamparm
------------------------------------------------------------------------------
For Developers, A Lot Can Happen In A Second.
Boundary is the first to Know...and Tell You.
Monitor Your Applications in Ultra-Fine Resolution. Try it FREE!
http://p.sf.net/sfu/Boundary-d2dvs2
_______________________________________________
sqlmap-users mailing list
sqlmap-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/sqlmap-users

Reply via email to