Yup.
Bye
Dana 25.1.2013. 18:48 "Boris Chazalet" <[email protected]> je
napisao/la:
> Wow, thanks a lot Miroslav!
>
> So what's the rule, any variable created in the eval code is considered as
> a HTTP parameter for the ongoing request?
>
> Regards,
> Boris
>
> On 25/01/13 15:20, Miroslav Stampar wrote:
>
> Hi Boris.
>
> This would do:
>
> python sqlmap.py -u "
> http://myserver.com/createUser.xml?name=Bob&phone=0789123456&password=qwerty<http://myserver.com/createUser.xml?name=Bob&phone=0789123456&password=qwerty&sig=3cd7a0db76ff9dca48979e24c39b408c>"
> --eval='import hashlib;sig=hashlib.md5("%s:%s:%s:%s" % (name, phone,
> password, "secretkey123")).hexdigest()'
>
> Kind regards,
> Miroslav Stampar
>
> On Fri, Jan 25, 2013 at 3:13 PM, Boris Chazalet <[email protected]
> > wrote:
>
>> Well, an example of a valid request to the server looks something like
>> this:
>>
>> http://myserver.com/createUser.xml?name=Bob&phone=0789123456&password=qwerty&sig=3cd7a0db76ff9dca48979e24c39b408c
>>
>> with name, phone, password being regular parameters and sig being the
>> hash of the params value, or in other words:
>> sig = md5(bob:phone:qwerty:secretkey)
>>
>> The server first checks the sig parameter and reject the request if it
>> does not match its own calculation.
>>
>> I have a python script to compute the sig value using the secret key so I
>> just would like to access any sqlmap request before it is actually send in
>> order to append the sig parameter and its value, i.e.
>> "&sig=3cd7a0db76ff9dca48979e24c39b408c".
>>
>> My question is whether that can be done with the --eval switch or if that
>> requires me to go into the source code of sqlmap and add this functionality
>>
>> Thanks a lot for your help.
>> Regards,
>> Boris
>>
>> On 24/01/13 18:17, Miroslav Stampar wrote:
>>
>> Hi.
>>
>> Could you please give more information?
>>
>> Kind regards,
>> Miroslav Stampar
>> Dana 24.1.2013. 18:56 "Boris Chazalet" <[email protected]> je
>> napisao/la:
>>
>>> Hi,
>>>
>>> I need to sign the requests with a secret key before sending it to the
>>> server for them to be accepted. More precisely, I need to hash the
>>> different request parameters together with a secret key and to add that
>>> hash as an extra parameter in the final URL.
>>>
>>> Is that something that can be done with the --eval switch or do I need
>>> to modify the source code?
>>>
>>> Regards,
>>> Boris
>>>
>>>
>>>
>>>
>>> ------------------------------------------------------------------------------
>>> Master Visual Studio, SharePoint, SQL, ASP.NET, C# 2012, HTML5, CSS,
>>> MVC, Windows 8 Apps, JavaScript and much more. Keep your skills current
>>> with LearnDevNow - 3,200 step-by-step video tutorials by Microsoft
>>> MVPs and experts. ON SALE this month only -- learn more at:
>>> http://p.sf.net/sfu/learnnow-d2d
>>> _______________________________________________
>>> sqlmap-users mailing list
>>> [email protected]
>>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>>>
>>
>>
>>
>> ------------------------------------------------------------------------------
>> Master Visual Studio, SharePoint, SQL, ASP.NET, C# 2012, HTML5, CSS,
>> MVC, Windows 8 Apps, JavaScript and much more. Keep your skills current
>> with LearnDevNow - 3,200 step-by-step video tutorials by Microsoft
>> MVPs and experts. ON SALE this month only -- learn more at:
>> http://p.sf.net/sfu/learnnow-d2d
>> _______________________________________________
>> sqlmap-users mailing list
>> [email protected]
>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>>
>>
>
>
> --
> Miroslav Stampar
> http://about.me/stamparm
>
>
>
>
> ------------------------------------------------------------------------------
> Master Visual Studio, SharePoint, SQL, ASP.NET, C# 2012, HTML5, CSS,
> MVC, Windows 8 Apps, JavaScript and much more. Keep your skills current
> with LearnDevNow - 3,200 step-by-step video tutorials by Microsoft
> MVPs and experts. ON SALE this month only -- learn more at:
> http://p.sf.net/sfu/learnnow-d2d
> _______________________________________________
> sqlmap-users mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>
>
------------------------------------------------------------------------------
Master Visual Studio, SharePoint, SQL, ASP.NET, C# 2012, HTML5, CSS,
MVC, Windows 8 Apps, JavaScript and much more. Keep your skills current
with LearnDevNow - 3,200 step-by-step video tutorials by Microsoft
MVPs and experts. ON SALE this month only -- learn more at:
http://p.sf.net/sfu/learnnow-d2d
_______________________________________________
sqlmap-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/sqlmap-users
