Wow, thanks a lot Miroslav!
So what's the rule, any variable created in the eval code is considered
as a HTTP parameter for the ongoing request?
Regards,
Boris
On 25/01/13 15:20, Miroslav Stampar wrote:
Hi Boris.
This would do:
python sqlmap.py -u
"http://myserver.com/createUser.xml?name=Bob&phone=0789123456&password=qwerty
<http://myserver.com/createUser.xml?name=Bob&phone=0789123456&password=qwerty&sig=3cd7a0db76ff9dca48979e24c39b408c>"
--eval='import hashlib;sig=hashlib.md5("%s:%s:%s:%s" % (name, phone,
password, "secretkey123")).hexdigest()'
Kind regards,
Miroslav Stampar
On Fri, Jan 25, 2013 at 3:13 PM, Boris Chazalet
<[email protected] <mailto:[email protected]>> wrote:
Well, an example of a valid request to the server looks something
like this:
http://myserver.com/createUser.xml?name=Bob&phone=0789123456&password=qwerty&sig=3cd7a0db76ff9dca48979e24c39b408c
with name, phone, password being regular parameters and sig being
the hash of the params value, or in other words:
sig = md5(bob:phone:qwerty:secretkey)
The server first checks the sig parameter and reject the request
if it does not match its own calculation.
I have a python script to compute the sig value using the secret
key so I just would like to access any sqlmap request before it is
actually send in order to append the sig parameter and its value,
i.e. "&sig=3cd7a0db76ff9dca48979e24c39b408c".
My question is whether that can be done with the --eval switch or
if that requires me to go into the source code of sqlmap and add
this functionality
Thanks a lot for your help.
Regards,
Boris
On 24/01/13 18:17, Miroslav Stampar wrote:
Hi.
Could you please give more information?
Kind regards,
Miroslav Stampar
Dana 24.1.2013. 18:56 "Boris Chazalet" <[email protected]
<mailto:[email protected]>> je napisao/la:
Hi,
I need to sign the requests with a secret key before sending
it to the
server for them to be accepted. More precisely, I need to
hash the
different request parameters together with a secret key and
to add that
hash as an extra parameter in the final URL.
Is that something that can be done with the --eval switch or
do I need
to modify the source code?
Regards,
Boris
------------------------------------------------------------------------------
Master Visual Studio, SharePoint, SQL, ASP.NET
<http://ASP.NET>, C# 2012, HTML5, CSS,
MVC, Windows 8 Apps, JavaScript and much more. Keep your
skills current
with LearnDevNow - 3,200 step-by-step video tutorials by
Microsoft
MVPs and experts. ON SALE this month only -- learn more at:
http://p.sf.net/sfu/learnnow-d2d
_______________________________________________
sqlmap-users mailing list
[email protected]
<mailto:[email protected]>
https://lists.sourceforge.net/lists/listinfo/sqlmap-users
------------------------------------------------------------------------------
Master Visual Studio, SharePoint, SQL, ASP.NET <http://ASP.NET>,
C# 2012, HTML5, CSS,
MVC, Windows 8 Apps, JavaScript and much more. Keep your skills
current
with LearnDevNow - 3,200 step-by-step video tutorials by Microsoft
MVPs and experts. ON SALE this month only -- learn more at:
http://p.sf.net/sfu/learnnow-d2d
_______________________________________________
sqlmap-users mailing list
[email protected]
<mailto:[email protected]>
https://lists.sourceforge.net/lists/listinfo/sqlmap-users
--
Miroslav Stampar
http://about.me/stamparm
------------------------------------------------------------------------------
Master Visual Studio, SharePoint, SQL, ASP.NET, C# 2012, HTML5, CSS,
MVC, Windows 8 Apps, JavaScript and much more. Keep your skills current
with LearnDevNow - 3,200 step-by-step video tutorials by Microsoft
MVPs and experts. ON SALE this month only -- learn more at:
http://p.sf.net/sfu/learnnow-d2d
_______________________________________________
sqlmap-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/sqlmap-users
