Hello, yes '*' works, but I have to put it behind parameter's name manually. I wish there was an option to tell sqlmap to automatically try SQLi not only inside parameter values but also inside parameter names. Is is possible to add such functionality?
Kind Regards Karel Marhoul On 28.3.2013 15:41, Miroslav Stampar wrote: > Hi. > > Just use custom injection mark character. > > For example: > > python sqlmap.py -u "http://www.target.com/vuln.php?id*=1"; > > will try to inject into the parameter name id. > > Kind regards, > Miroslav Stampar > > On Wed, Mar 27, 2013 at 11:02 AM, a a <rezorci...@seznam.cz > <mailto:rezorci...@seznam.cz>> wrote: > > Hello, > > During one assessment I have found the web application that is > vulnerable to > the SQL injection not in parameter values but in parameter names itself. > > This is something sqlmap is unable to find. Is it possible to add such > functionality (e.g. by optional parameter) to sqlmap? > > Regards > > Karel Marhoul > > > ------------------------------------------------------------------------------ > Own the Future-Intel® Level Up Game Demo Contest 2013 > Rise to greatness in Intel's independent game demo contest. > Compete for recognition, cash, and the chance to get your game > on Steam. $5K grand prize plus 10 genre and skill prizes. > Submit your demo by 6/6/13. http://p.sf.net/sfu/intel_levelupd2d > _______________________________________________ > sqlmap-users mailing list > sqlmap-users@lists.sourceforge.net > <mailto:sqlmap-users@lists.sourceforge.net> > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > > > > > -- > Miroslav Stampar > http://about.me/stamparm ------------------------------------------------------------------------------ Own the Future-Intel(R) Level Up Game Demo Contest 2013 Rise to greatness in Intel's independent game demo contest. Compete for recognition, cash, and the chance to get your game on Steam. $5K grand prize plus 10 genre and skill prizes. Submit your demo by 6/6/13. http://altfarm.mediaplex.com/ad/ck/12124-176961-30367-2 _______________________________________________ sqlmap-users mailing list sqlmap-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/sqlmap-users
