On Fri, 6 Apr 2012, Miroslav Stampar wrote: > On Fri, Apr 6, 2012 at 2:09 AM, Julia Wolf <jw...@fireeye.com> wrote: > >> Unrelated... I can't seem to get SQLMap to fully parse Burp logs. It says >> >> [19:13:04] [DEBUG] parsing targets list from '/home/jwolf/burpreq.log' >> [19:13:05] [INFO] sqlmap parsed 18 testable requests from the targets list >> [19:13:05] [INFO] sqlmap got a total of 18 targets >> >> I know there's more than eighteen targets... >>
> Are you sure there are more than 18 targets with unique parameters inside? > That uniq says unique strings it found, but it doesn't go through parameter > names to see what can be exploited. There are 293 fields in my recorded session. Another odd thing about this, I chopped the first 509600 bytes (8%) off the beginning of the Burp log (on a record boundary of course) and SQLMap still reports that it only found 18 targets -- but it will still always start with the first URL from the Burp log anyway. (I chopped it elsewhere previously with the same result.) I mean if the Burp log starts with: ====================================================== 6:25:56 PM https://10.6.1.142:443 ====================================================== POST /analysis/filter HTTP/1.1 Host: 10.6.1.142 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:11.0) Gecko/20100101 Firefox/11.0 Accept: text/javascript, text/html, application/xml, text/xml, */* [blah blah blah...] Content-Length: ... Cookie: _session_id=ab36ffc767c4fea19473af1a10a03d671; Cache-Control: no-cache utf8=%E2%9C%93&token=0Uocx9Clc&filter_text=moo&case_sensitive=1&username=foo ====================================================== HTTP/1.1 200 OK Date: Thu, 05 Apr 2012 01:25:56 GMT Server: Whatever 2.0 Content-Type: text/javascript; charset=utf-8 [...] ... Then SQLMap will start testing this URI, with these parameters correctly. Oh, I may have spoken too soon... SQLMap seems to be sticking the "======================================================" division onto the end of the last field, "username=foo======================================================" in this example. But other than that it seems to be working ok. (And I mean, 'ok' until it crashes with "InvalidURL: nonnumeric port:" ) ------------------------------------------------------------------------------ Better than sec? Nothing is better than sec when it comes to monitoring Big Data applications. Try Boundary one-second resolution app monitoring today. Free. http://p.sf.net/sfu/Boundary-dev2dev _______________________________________________ sqlmap-users mailing list sqlmap-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/sqlmap-users