Hi Boris.
It should be fixed now with the latest commit [1].
Bye
[1]
https://github.com/sqlmapproject/sqlmap/commit/c34f6e25b26498579d518f1a8d2cfac199723743
On Tue, Feb 12, 2013 at 4:49 PM, Boris Chazalet
<[email protected]>wrote:
> Replying to myself, that did the trick:
>
> python sqlmap.py -u
> "http://myserver.com/api/my_object/create.xml?app_id=100&arg1=email&[email protected]";<http://myserver.com/api/my_object/create.xml?app_id=100&arg1=email&[email protected]>--eval='import
> urllib as ul;import base64;import
> hashlib;api_sig=base64.b64encode(hashlib.md5("%s=%s%s=%s%s=%s%s" %
> ("app_id", app_id, "arg1", ul.unquote_plus(arg1), "arg2",
> ul.unquote_plus(arg2), "secretstuff")).digest())' --skip=app_id
> --load-cookies=cookies.txt
>
>
> On 12/02/13 15:15, Boris Chazalet wrote:
>
> Hi again,
>
> I am coming back to my signing issue. I run the following command in order
> to run sqlmap and have my request signed (well, it's only a hash of some
> params and a secret):
> python sqlmap.py -u
> "http://myserver.com/api/my_object/create.xml?app_id=100&arg1=email&[email protected]";<http://myserver.com/api/my_object/create.xml?app_id=100&arg1=email&[email protected]>--eval='import
> base64;import
> hashlib;api_sig=base64.b64encode(hashlib.md5("%s=%s%s=%s%s=%s%s" %
> ("app_id", app_id, "arg1", arg1, "arg2", arg2, "secretstuff")).digest())'
> --skip=app_id
>
> I am running Wireshark to see the actual requests. First sqlmap checks if
> the url is stable and that's fine (i.e. the signing works). Then it tries
> to mess up with arg1 by replacing its value to 3448 or 1584 and that's fine
> too. Then it tries to inject arg1=email%27%29%5B%5D%2C%27%5B%22%22%5B but
> the signature is not correct anymore.
>
> The hashing done in the --eval part should be apply to values before it
> gets URLEncoded and that's where I think my problem is. How could I get the
> "raw" value of arg1, i.e. not URLEncoded.
>
> Thanks a lot again for your help.
> Boris
>
>
> On 25/01/13 17:31, Boris Chazalet wrote:
>
> Wow, thanks a lot Miroslav!
>
> So what's the rule, any variable created in the eval code is considered as
> a HTTP parameter for the ongoing request?
>
> Regards,
> Boris
>
> On 25/01/13 15:20, Miroslav Stampar wrote:
>
> Hi Boris.
>
> This would do:
>
> python sqlmap.py -u "
> http://myserver.com/createUser.xml?name=Bob&phone=0789123456&password=qwerty<http://myserver.com/createUser.xml?name=Bob&phone=0789123456&password=qwerty&sig=3cd7a0db76ff9dca48979e24c39b408c>"
> --eval='import hashlib;sig=hashlib.md5("%s:%s:%s:%s" % (name, phone,
> password, "secretkey123")).hexdigest()'
>
> Kind regards,
> Miroslav Stampar
>
> On Fri, Jan 25, 2013 at 3:13 PM, Boris Chazalet <[email protected]
> > wrote:
>
>> Well, an example of a valid request to the server looks something like
>> this:
>>
>> http://myserver.com/createUser.xml?name=Bob&phone=0789123456&password=qwerty&sig=3cd7a0db76ff9dca48979e24c39b408c
>>
>> with name, phone, password being regular parameters and sig being the
>> hash of the params value, or in other words:
>> sig = md5(bob:phone:qwerty:secretkey)
>>
>> The server first checks the sig parameter and reject the request if it
>> does not match its own calculation.
>>
>> I have a python script to compute the sig value using the secret key so I
>> just would like to access any sqlmap request before it is actually send in
>> order to append the sig parameter and its value, i.e.
>> "&sig=3cd7a0db76ff9dca48979e24c39b408c".
>>
>> My question is whether that can be done with the --eval switch or if that
>> requires me to go into the source code of sqlmap and add this functionality
>>
>> Thanks a lot for your help.
>> Regards,
>> Boris
>>
>> On 24/01/13 18:17, Miroslav Stampar wrote:
>>
>> Hi.
>>
>> Could you please give more information?
>>
>> Kind regards,
>> Miroslav Stampar
>> Dana 24.1.2013. 18:56 "Boris Chazalet" <[email protected]> je
>> napisao/la:
>>
>>> Hi,
>>>
>>> I need to sign the requests with a secret key before sending it to the
>>> server for them to be accepted. More precisely, I need to hash the
>>> different request parameters together with a secret key and to add that
>>> hash as an extra parameter in the final URL.
>>>
>>> Is that something that can be done with the --eval switch or do I need
>>> to modify the source code?
>>>
>>> Regards,
>>> Boris
>>>
>>>
>>>
>>>
>>> ------------------------------------------------------------------------------
>>> Master Visual Studio, SharePoint, SQL, ASP.NET, C# 2012, HTML5, CSS,
>>> MVC, Windows 8 Apps, JavaScript and much more. Keep your skills current
>>> with LearnDevNow - 3,200 step-by-step video tutorials by Microsoft
>>> MVPs and experts. ON SALE this month only -- learn more at:
>>> http://p.sf.net/sfu/learnnow-d2d
>>> _______________________________________________
>>> sqlmap-users mailing list
>>> [email protected]
>>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>>>
>>
>>
>>
>> ------------------------------------------------------------------------------
>> Master Visual Studio, SharePoint, SQL, ASP.NET, C# 2012, HTML5, CSS,
>> MVC, Windows 8 Apps, JavaScript and much more. Keep your skills current
>> with LearnDevNow - 3,200 step-by-step video tutorials by Microsoft
>> MVPs and experts. ON SALE this month only -- learn more at:
>> http://p.sf.net/sfu/learnnow-d2d
>> _______________________________________________
>> sqlmap-users mailing list
>> [email protected]
>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>>
>>
>
>
> --
> Miroslav Stampar
> http://about.me/stamparm
>
>
>
>
>
> ------------------------------------------------------------------------------
> Free Next-Gen Firewall Hardware Offer
> Buy your Sophos next-gen firewall before the end March 2013
> and get the hardware for free! Learn more.http://p.sf.net/sfu/sophos-d2d-feb
>
>
>
> _______________________________________________
> sqlmap-users mailing
> [email protected]https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>
>
>
>
> ------------------------------------------------------------------------------
> Free Next-Gen Firewall Hardware Offer
> Buy your Sophos next-gen firewall before the end March 2013
> and get the hardware for free! Learn more.
> http://p.sf.net/sfu/sophos-d2d-feb
> _______________________________________________
> sqlmap-users mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>
>
--
Miroslav Stampar
http://about.me/stamparm
------------------------------------------------------------------------------
Free Next-Gen Firewall Hardware Offer
Buy your Sophos next-gen firewall before the end March 2013
and get the hardware for free! Learn more.
http://p.sf.net/sfu/sophos-d2d-feb
_______________________________________________
sqlmap-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/sqlmap-users
