Hi all, My colleague is having an issue with POST/GET behaviour with JSON requests in sqlmap/1.0-dev-64ba880. He asked me to forward this to the mailinglist:
I have the following request which i load with the -l flag: -- POST /blup?param=2 HTTP/1.1 Host: http://test.tld User-Agent: Test Accept: application/json, text/javascript, */*; q=0.01 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/json; charset=utf-8 X-Requested-With: XMLHttpRequest Content-Length: 116 Connection: keep-alive Pragma: no-cache Cache-Control: no-cache {"jq":{"Search":false,"nd":1,"PageSize":50,"PageIndex":1,"SortIndex":"","SortOrder":"asc"}} -- - If i do not specify a parameter with -p then sqlmap will happily test all parameters (including the ones in the URL) using HTTP POST requests with the JSON data. - If i enter 'N' at "JSON like data found in POST data. Do you want to process it? [Y/n/q] " then it will start to do HTTP GET requests for the parameters in the URL. - If i specify '-p param' then sqlmap will start to do HTTP GET requests and it will leave out the JSON data. If i do the same request from the command line: -- sqlmap.py -u "http://test.tld/blup?param=2"; --data="{"jqGridRequest":{"IsSearch":false,"nd":1364299479869,"PageSize":50,"PageIndex":1,"SortIndex":"","SortOrder":"asc"}}" -p param -- Then sqlmap will not prompt me for "JSON like data found in POST data. Do you want to process it? [Y/n/q] " and it will test normally so it seems to be related to the JSON detection. Could you have a look at this behaviour and maybe fix sqlmap so that it will keep doing HTTP POST requests even when the JSON data is not processed? Thanks! Pieter ------------------------------------------------------------------------------ Own the Future-Intel® Level Up Game Demo Contest 2013 Rise to greatness in Intel's independent game demo contest. Compete for recognition, cash, and the chance to get your game on Steam. $5K grand prize plus 10 genre and skill prizes. Submit your demo by 6/6/13. http://p.sf.net/sfu/intel_levelupd2d _______________________________________________ sqlmap-users mailing list sqlmap-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/sqlmap-users
