Hi Till. Are you maybe referring to the case where MSSQL integer column is injectable manifesting conversion errors when arbitrary SELECT used?
e.g. id=(SELECT 'abc') -> something like: bad conversion of 'abc' to integer value We do have such a payload, named: Microsoft SQL Server/Sybase error-based - Parameter replace (integer column), but it's available with --level>=4 Kind regards On Mon, May 7, 2012 at 11:25 AM, Till Maas <opensou...@till.name> wrote: > Hi, > > could you please add a simple "SELECT" payload to sqlmap, that will > assume that the injectable parameter will just allow to specify SELECT > statements. This would make it easier to use sqlmap with --prefix and > --suffix, because the latter parameters could be used to specify the > prefix and suffix of a complex UNION SELECT attack vector. > > Regards > Till > > ------------------------------------------------------------------------------ > Live Security Virtual Conference > Exclusive live event will cover all the ways today's security and > threat landscape has changed and how IT managers can respond. Discussions > will include endpoint security, mobile security and the latest in malware > threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ > _______________________________________________ > sqlmap-users mailing list > sqlmap-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/sqlmap-users -- Miroslav Stampar http://about.me/stamparm ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ _______________________________________________ sqlmap-users mailing list sqlmap-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/sqlmap-users
