Hi Julia.
On Tue, Apr 10, 2012 at 11:40 PM, Julia Wolf <jw...@fireeye.com> wrote:
> On Fri, 6 Apr 2012, Miroslav Stampar wrote:
>
> On Fri, Apr 6, 2012 at 2:09 AM, Julia Wolf <jw...@fireeye.com> wrote:
>>
>> Unrelated... I can't seem to get SQLMap to fully parse Burp logs. It
>>> says
>>>
>>> [19:13:04] [DEBUG] parsing targets list from '/home/jwolf/burpreq.log'
>>> [19:13:05] [INFO] sqlmap parsed 18 testable requests from the targets
>>> list
>>> [19:13:05] [INFO] sqlmap got a total of 18 targets
>>>
>>> I know there's more than eighteen targets...
>>>
>>>
> Are you sure there are more than 18 targets with unique parameters inside?
>> That uniq says unique strings it found, but it doesn't go through
>> parameter
>> names to see what can be exploited.
>>
>
> There are 293 fields in my recorded session.
>
> Another odd thing about this, I chopped the first 509600 bytes (8%) off
> the beginning of the Burp log (on a record boundary of course) and SQLMap
> still reports that it only found 18 targets -- but it will still always
> start with the first URL from the Burp log anyway. (I chopped it elsewhere
> previously with the same result.)
>
> I mean if the Burp log starts with:
>
> ==============================**========================
> 6:25:56 PM https://10.6.1.142:443
> ==============================**========================
> POST /analysis/filter HTTP/1.1
> Host: 10.6.1.142
> User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:11.0)
> Gecko/20100101 Firefox/11.0
> Accept: text/javascript, text/html, application/xml, text/xml, */*
> [blah blah blah...]
> Content-Length: ...
> Cookie: _session_id=**ab36ffc767c4fea19473af1a10a03d**671; Cache-Control:
> no-cache
>
> utf8=%E2%9C%93&token=**0Uocx9Clc&filter_text=moo&**
> case_sensitive=1&username=foo
> ==============================**========================
> HTTP/1.1 200 OK
> Date: Thu, 05 Apr 2012 01:25:56 GMT
> Server: Whatever 2.0
> Content-Type: text/javascript; charset=utf-8
> [...]
>
> ... Then SQLMap will start testing this URI, with these parameters
> correctly.
>
> Oh, I may have spoken too soon... SQLMap seems to be sticking the
> "=============================**=========================" division onto
> the end of the last field, "username=foo=================**
> ==============================**======="
Fixed with last revision r4979
> in this example. But other than that it seems to be working ok. (And I
> mean, 'ok' until it crashes with "InvalidURL: nonnumeric port:" )
>
> Will take a look
KInd regards
--
Miroslav Stampar
http://about.me/stamparm
------------------------------------------------------------------------------
Better than sec? Nothing is better than sec when it comes to
monitoring Big Data applications. Try Boundary one-second
resolution app monitoring today. Free.
http://p.sf.net/sfu/Boundary-dev2dev
_______________________________________________
sqlmap-users mailing list
sqlmap-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/sqlmap-users
