On Fri, 6 Apr 2012, Miroslav Stampar wrote:

> On Fri, Apr 6, 2012 at 2:09 AM, Julia Wolf <jw...@fireeye.com> wrote:
>
>>  Unrelated... I can't seem to get SQLMap to fully parse Burp logs. It says
>>
>> [19:13:04] [DEBUG] parsing targets list from '/home/jwolf/burpreq.log'
>> [19:13:05] [INFO] sqlmap parsed 18 testable requests from the targets list
>> [19:13:05] [INFO] sqlmap got a total of 18 targets
>>
>>  I know there's more than eighteen targets...
>>

> Are you sure there are more than 18 targets with unique parameters inside?
> That uniq says unique strings it found, but it doesn't go through parameter
> names to see what can be exploited.

   There are 293 fields in my recorded session.

   Another odd thing about this, I chopped the first 509600 bytes (8%) off 
the beginning of the Burp log (on a record boundary of course) and SQLMap 
still reports that it only found 18 targets -- but it will still always 
start with the first URL from the Burp log anyway. (I chopped it elsewhere 
previously with the same result.)

   I mean if the Burp log starts with:

======================================================
6:25:56 PM  https://10.6.1.142:443
======================================================
POST /analysis/filter HTTP/1.1
Host: 10.6.1.142
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:11.0) 
Gecko/20100101 Firefox/11.0
Accept: text/javascript, text/html, application/xml, text/xml, */*
[blah blah blah...]
Content-Length: ...
Cookie: _session_id=ab36ffc767c4fea19473af1a10a03d671; 
Cache-Control: no-cache

utf8=%E2%9C%93&token=0Uocx9Clc&filter_text=moo&case_sensitive=1&username=foo
======================================================
HTTP/1.1 200 OK
Date: Thu, 05 Apr 2012 01:25:56 GMT
Server: Whatever 2.0
Content-Type: text/javascript; charset=utf-8
[...]

... Then SQLMap will start testing this URI, with these parameters 
correctly.

   Oh, I may have spoken too soon... SQLMap seems to be sticking the 
"======================================================" division onto the 
end of the last field, 
"username=foo======================================================" in 
this example. But other than that it seems to be working ok. (And I mean, 
'ok' until it crashes with "InvalidURL: nonnumeric port:" )


------------------------------------------------------------------------------
Better than sec? Nothing is better than sec when it comes to
monitoring Big Data applications. Try Boundary one-second 
resolution app monitoring today. Free.
http://p.sf.net/sfu/Boundary-dev2dev
_______________________________________________
sqlmap-users mailing list
sqlmap-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/sqlmap-users

Reply via email to