Hi Marek.
I've started to reply to your original mail and stopped because I've got
bunch of other work to finish.
My though is that we can't easily do this as a "feature" of sqlmap as it
would require *too much effort for a little or no gain* (in terms of
functionality).
Now, in your place I would go with the following solution (least effort,
most gain):
1) make tamper script to do those replacements (you've already described
those forms which can be replaced)
2) short circuit DBMS fingerprinting part as there are lots of ',' chars
there as you've spotted
Also, this would be limited to most probably boolean/time-based injection
(at least on MySQL). That's because we need concatenation of strings for
UNION/ERROR techniques and in those cases "concat" needs to be used (which
obviously uses commas) for appending/prepending suffix/prefix character
strings.
Now, if you are interested in that kind of solution I could make you such a
tamper script and tell you how to short circuit DBMS fingerprinting. Only
thing is that you would need to wait a few days as I am overbundled with
other work.
Kind regards
On Tue, Apr 24, 2012 at 4:05 PM, Stiefenhofer, Marek <
m.stiefenho...@r-tec.net> wrote:
> After reading my own post I need to clarify this:
>
> My drafted plan of modifying sqlmap was not thought to be a feature
> request or change recommendation. At most it is an idea and I'd like to
> read your further suggestions. If I can accomplish some of the more
> sophisticated functions of sqlmap (file operations, command execution)
> without comma, I'd be willing to poc implement that. Whether this could
> become useful or not for the official release, is of course a decision
> of Miroslav and Bernardo ;-)
>
> -marek
>
>
> ------------------------------------------------------------------------------
> Live Security Virtual Conference
> Exclusive live event will cover all the ways today's security and
> threat landscape has changed and how IT managers can respond. Discussions
> will include endpoint security, mobile security and the latest in malware
> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
> _______________________________________________
> sqlmap-users mailing list
> sqlmap-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>
--
Miroslav Stampar
http://about.me/stamparm
------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and
threat landscape has changed and how IT managers can respond. Discussions
will include endpoint security, mobile security and the latest in malware
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
sqlmap-users mailing list
sqlmap-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/sqlmap-users
