Hi Julia.
Sorry for taking so long to respond.
There are two things that need to be considered before giving a conclusion
on this one:
A) this is a rare case with both redirection and Host header being involved
containing character ':'
B) we've removed a week ago Host header from a default scan on higher
--level/--risk values (user has to explicitly either set 'Host' header
value and/or use -p host together with higher --level/--risk values)
Now, as this is all caused by (IMO) messy programming code of httplib's
_set_hostport() method (...i = host.rfind(':')...j = host.rfind(']')...)
and with those facts given above, this is going to be one of those "stay as
it is" bugs. It's just not worth doing "just in case" dirty patch for such
cases especially because of fact B.
Hence, thank you for your report, but this will be handled only in case of
a second report.
Kind regards
On Wed, Apr 11, 2012 at 12:03 AM, Miroslav Stampar <
miroslav.stam...@gmail.com> wrote:
> Hi Julia.
>
> On Tue, Apr 10, 2012 at 11:40 PM, Julia Wolf <jw...@fireeye.com> wrote:
>
>> On Fri, 6 Apr 2012, Miroslav Stampar wrote:
>>
>> On Fri, Apr 6, 2012 at 2:09 AM, Julia Wolf <jw...@fireeye.com> wrote:
>>>
>>> Unrelated... I can't seem to get SQLMap to fully parse Burp logs. It
>>>> says
>>>>
>>>> [19:13:04] [DEBUG] parsing targets list from '/home/jwolf/burpreq.log'
>>>> [19:13:05] [INFO] sqlmap parsed 18 testable requests from the targets
>>>> list
>>>> [19:13:05] [INFO] sqlmap got a total of 18 targets
>>>>
>>>> I know there's more than eighteen targets...
>>>>
>>>>
>> Are you sure there are more than 18 targets with unique parameters
>>> inside?
>>> That uniq says unique strings it found, but it doesn't go through
>>> parameter
>>> names to see what can be exploited.
>>>
>>
>> There are 293 fields in my recorded session.
>>
>> Another odd thing about this, I chopped the first 509600 bytes (8%) off
>> the beginning of the Burp log (on a record boundary of course) and SQLMap
>> still reports that it only found 18 targets -- but it will still always
>> start with the first URL from the Burp log anyway. (I chopped it elsewhere
>> previously with the same result.)
>>
>> I mean if the Burp log starts with:
>>
>> ==============================**========================
>> 6:25:56 PM https://10.6.1.142:443
>> ==============================**========================
>> POST /analysis/filter HTTP/1.1
>> Host: 10.6.1.142
>> User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:11.0)
>> Gecko/20100101 Firefox/11.0
>> Accept: text/javascript, text/html, application/xml, text/xml, */*
>> [blah blah blah...]
>> Content-Length: ...
>> Cookie: _session_id=**ab36ffc767c4fea19473af1a10a03d**671;
>> Cache-Control: no-cache
>>
>> utf8=%E2%9C%93&token=**0Uocx9Clc&filter_text=moo&**
>> case_sensitive=1&username=foo
>> ==============================**========================
>> HTTP/1.1 200 OK
>> Date: Thu, 05 Apr 2012 01:25:56 GMT
>> Server: Whatever 2.0
>> Content-Type: text/javascript; charset=utf-8
>> [...]
>>
>> ... Then SQLMap will start testing this URI, with these parameters
>> correctly.
>>
>> Oh, I may have spoken too soon... SQLMap seems to be sticking the
>> "=============================**=========================" division onto
>> the end of the last field, "username=foo=================**
>> ==============================**======="
>
> Fixed with last revision r4979
>
>
>> in this example. But other than that it seems to be working ok. (And I
>> mean, 'ok' until it crashes with "InvalidURL: nonnumeric port:" )
>>
>> Will take a look
>
> KInd regards
>
>
>
> --
> Miroslav Stampar
> http://about.me/stamparm
>
--
Miroslav Stampar
http://about.me/stamparm
------------------------------------------------------------------------------
For Developers, A Lot Can Happen In A Second.
Boundary is the first to Know...and Tell You.
Monitor Your Applications in Ultra-Fine Resolution. Try it FREE!
http://p.sf.net/sfu/Boundary-d2dvs2
_______________________________________________
sqlmap-users mailing list
sqlmap-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/sqlmap-users
