Thanks for answering, Miroslav. I must haven't been clear enough in my previous post. What I mean is that, say, you got a website under your purview, an example.com. There's a vulnerable script at http://www.example.com/example.php?id=1&id2=2 and "id" is vulnerable.
Say, there's another SQLi in http://www.example.com/exampe2.asp";. Basically, every time I need to --dbs, --columns or whatever, I have to _type in exactly the same URL and parameters_ which are _already stored in the log file_. What I'm proposing to do is to add an option to specify a domain name and (optionally) select from a number of available attacks and go from there. Something like ./sqlmap.py -D example.com --dbs. Otherwise, we, the users, are forced to look up the logs in search of the vulnerable script and its settings. That'd just make things so much simpler for further attacks against the "victim" server. Thanks for your time and the work you put into this, Anton Sazonov On Sun, May 27, 2012 at 6:58 PM, Miroslav Stampar <miroslav.stam...@gmail.com> wrote: > Hi Anton. > > Maybe I am missing something: > "I must be missing something, but shouldn't there be a command line > switch to perform the exact same SQLi you did on your target machine" > > If you are referring to a normal session resumal then it's automatically > being done. If you mean that you want to use information of SQLi from one > target to another then there is no such option. > > If you need that first scenario then please tell which version do you use? > > Kind regards, > Miroslav Stampar > > On Sat, May 26, 2012 at 1:32 AM, Anton Sazonov <anton.sazo...@gmail.com> > wrote: >> >> Hello there, >> >> I must be missing something, but shouldn't there be a command line >> switch to perform the exact same SQLi you did on your target machine? >> I do realize that the vulnerabilities are stored in >> $SQLMAP/output/$HOSTNAME/log and are rather easy to replicate, if >> frustrating. >> >> Wouldn't that be easier for the end-users to just add an option to >> specify the already injected and confirmed server in the command line, >> as in, for example, ./sqlmap.py -h example.com --dbs? >> >> Couldn't find it in the documentation for the life of me. Apologies if >> it has already been brought up. >> >> Thanks, >> Anton >> >> >> ------------------------------------------------------------------------------ >> Live Security Virtual Conference >> Exclusive live event will cover all the ways today's security and >> threat landscape has changed and how IT managers can respond. Discussions >> will include endpoint security, mobile security and the latest in malware >> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ >> _______________________________________________ >> sqlmap-users mailing list >> sqlmap-users@lists.sourceforge.net >> https://lists.sourceforge.net/lists/listinfo/sqlmap-users > > > > > -- > Miroslav Stampar > http://about.me/stamparm ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ _______________________________________________ sqlmap-users mailing list sqlmap-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/sqlmap-users
