Even though it's wrong to use GET with this enctype, I think it will still
work:
http://oi49.tinypic.com/2yn2r9w.jpg
So if this is interacting with a database, there could still be an
injection. Perhaps the check that sqlmap does is too simplistic?
Regards
Chris
On 9 August 2012 11:23, Marco Mirandola <mmmc...@gmail.com> wrote:
> But rather than check enctype = "multipart / form-data", which in my case
> does not include any upload (see attached html), because not only excludes
> only the possible upload?
> we are in the attached example:
>
> 2 select (combobox)
> 3 checkboxes
>
> both valid for the injection ...
>
>
>
> ------------------------------------------------------------------------------
> Live Security Virtual Conference
> Exclusive live event will cover all the ways today's security and
> threat landscape has changed and how IT managers can respond. Discussions
> will include endpoint security, mobile security and the latest in malware
> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
> _______________________________________________
> sqlmap-users mailing list
> sqlmap-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>
>
------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and
threat landscape has changed and how IT managers can respond. Discussions
will include endpoint security, mobile security and the latest in malware
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
sqlmap-users mailing list
sqlmap-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/sqlmap-users
