this will inject before name:
python sqlmap.py -u "http://www.target.com/vuln.php?*id=1";
this will inject after name:
python sqlmap.py -u "http://www.target.com/vuln.php?id*=1";
this will inject into name:
python sqlmap.py -u "http://www.target.com/vuln.php?i*d=1";
this will inject before value:
python sqlmap.py -u "http://www.target.com/vuln.php?id=*1";
this will inject after value:
python sqlmap.py -u "http://www.target.com/vuln.php?id=1*";
Which combination do you need? We are not going to make a new switch for
this kind of things because you can use * to mark your "special need".
Kind regards,
Miroslav Stampar
On Thu, Mar 28, 2013 at 7:06 PM, Karel Marhoul <rezorci...@seznam.cz> wrote:
> Hello,
>
> yes '*' works, but I have to put it behind parameter's name manually. I
> wish there was an option to tell sqlmap to automatically try SQLi not only
> inside parameter values but also inside parameter names. Is is possible to
> add such functionality?
>
> Kind Regards
>
> Karel Marhoul
>
> On 28.3.2013 15:41, Miroslav Stampar wrote:
>
>> Hi.
>>
>> Just use custom injection mark character.
>>
>> For example:
>>
>> python sqlmap.py -u
>> "http://www.target.com/vuln.**php?id*=1<http://www.target.com/vuln.php?id*=1>
>> "
>>
>> will try to inject into the parameter name id.
>>
>> Kind regards,
>> Miroslav Stampar
>>
>> On Wed, Mar 27, 2013 at 11:02 AM, a a <rezorci...@seznam.cz
>> <mailto:rezorci...@seznam.cz>> wrote:
>>
>> Hello,
>>
>> During one assessment I have found the web application that is
>> vulnerable to
>> the SQL injection not in parameter values but in parameter names
>> itself.
>>
>> This is something sqlmap is unable to find. Is it possible to add such
>> functionality (e.g. by optional parameter) to sqlmap?
>>
>> Regards
>>
>> Karel Marhoul
>>
>> ------------------------------**------------------------------**
>> ------------------
>> Own the Future-Intel® Level Up Game Demo Contest 2013
>> Rise to greatness in Intel's independent game demo contest.
>> Compete for recognition, cash, and the chance to get your game
>> on Steam. $5K grand prize plus 10 genre and skill prizes.
>> Submit your demo by 6/6/13.
>> http://p.sf.net/sfu/intel_**levelupd2d<http://p.sf.net/sfu/intel_levelupd2d>
>> ______________________________**_________________
>> sqlmap-users mailing list
>> sqlmap-users@lists.**sourceforge.net<sqlmap-users@lists.sourceforge.net>
>>
>> <mailto:sqlmap-users@lists.**sourceforge.net<sqlmap-users@lists.sourceforge.net>
>> >
>>
>> https://lists.sourceforge.net/**lists/listinfo/sqlmap-users<https://lists.sourceforge.net/lists/listinfo/sqlmap-users>
>>
>>
>>
>>
>> --
>> Miroslav Stampar
>> http://about.me/stamparm
>>
>
>
--
Miroslav Stampar
http://about.me/stamparm
------------------------------------------------------------------------------
Own the Future-Intel(R) Level Up Game Demo Contest 2013
Rise to greatness in Intel's independent game demo contest. Compete
for recognition, cash, and the chance to get your game on Steam.
$5K grand prize plus 10 genre and skill prizes. Submit your demo
by 6/6/13. http://altfarm.mediaplex.com/ad/ck/12124-176961-30367-2
_______________________________________________
sqlmap-users mailing list
sqlmap-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/sqlmap-users
