Actually, it's not that painful :-)
$ cat test.burp | sed '/^GET/s/=/\*=/g '
======================================================
3:09:06 PM http://example.com:80 [192.0.43.10]
======================================================
GET /?name1*=value1&name2*=value2&name3*=value3 HTTP/1.1
Host: example.com
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:19.0) Gecko/20100101
Firefox/19.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: bg,en-us;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Connection: keep-alive
======================================================
Anyway, it's up to the devs if they want to implement such an option.
Happy Easter to you too!
~~
# m.
On Sun, Mar 31, 2013 at 12:35 PM, Karel Marhoul <rezorci...@seznam.cz>wrote:
> Ok, let's have for example following URL:
>
> http://example.com/?name1=**value1&name2=value2&name3=**value3<http://example.com/?name1=value1&name2=value2&name3=value3>
>
> If I do something like this:
>
> sqlmap -u
> http://example.com/?name1=**value1&name2=value2&name3=**value3<http://example.com/?name1=value1&name2=value2&name3=value3>
>
> sqlmap wil try inject payloads into parameter values, server headers,
> cookies and so on, but NOT into parameter names.
>
> Proposed parameter should work similar to this:
>
> sqlmap --inject-names -u http://example.com/?name1=**
> value1&name2=value2&name3=**value3<http://example.com/?name1=value1&name2=value2&name3=value3>
>
> And sqlmap will AUTOMATICALLY try to inject payload also into parameter
> names.
>
> Why I want this parameter instead of manually inserting '*' symbol?
> Because I often use sqlmap in conjunction with burp, where I take burp's
> log and give it to sqlmap for testing (via -l parameter). In this scenario,
> it would be painful to insert '*' after each parameter name.
>
> I hope I expressed it clear:)
>
> Best regards and happy easter
>
> Karel Marhoul
>
>
> On 31.3.2013 0:11, mitchell wrote:
>
>> So you have an option to inject wherever you want, but you want another
>> option to inject "inside parameter names"? Maybe, I am missing something
>> here...
>>
>> ~~
>> # m.
>>
>>
>> On Thu, Mar 28, 2013 at 8:06 PM, Karel Marhoul <rezorci...@seznam.cz
>> <mailto:rezorci...@seznam.cz>> wrote:
>>
>> Hello,
>>
>> yes '*' works, but I have to put it behind parameter's name manually.
>> I
>> wish there was an option to tell sqlmap to automatically try SQLi not
>> only inside parameter values but also inside parameter names. Is is
>> possible to add such functionality?
>>
>> Kind Regards
>>
>> Karel Marhoul
>>
>> On 28.3.2013 15:41, Miroslav Stampar wrote:
>> > Hi.
>> >
>> > Just use custom injection mark character.
>> >
>> > For example:
>> >
>> > python sqlmap.py -u
>> "http://www.target.com/vuln.**php?id*=1<http://www.target.com/vuln.php?id*=1>
>> "
>> >
>> > will try to inject into the parameter name id.
>> >
>> > Kind regards,
>> > Miroslav Stampar
>> >
>> > On Wed, Mar 27, 2013 at 11:02 AM, a a <rezorci...@seznam.cz
>> <mailto:rezorci...@seznam.cz>
>> > <mailto:rezorci...@seznam.cz <mailto:rezorci...@seznam.cz>>**>
>> wrote:
>> >
>> > Hello,
>> >
>> > During one assessment I have found the web application that is
>> > vulnerable to
>> > the SQL injection not in parameter values but in parameter
>> names itself.
>> >
>> > This is something sqlmap is unable to find. Is it possible to
>> add such
>> > functionality (e.g. by optional parameter) to sqlmap?
>> >
>> > Regards
>> >
>> > Karel Marhoul
>> >
>> >
>> ------------------------------**------------------------------**
>> ------------------
>> > Own the Future-Intel® Level Up Game Demo Contest 2013
>> > Rise to greatness in Intel's independent game demo contest.
>> > Compete for recognition, cash, and the chance to get your game
>> > on Steam. $5K grand prize plus 10 genre and skill prizes.
>> > Submit your demo by 6/6/13. http://p.sf.net/sfu/intel_**
>> levelupd2d <http://p.sf.net/sfu/intel_levelupd2d>
>> > ______________________________**_________________
>> > sqlmap-users mailing list
>> >
>> sqlmap-users@lists.**sourceforge.net<sqlmap-users@lists.sourceforge.net>
>>
>> <mailto:sqlmap-users@lists.**sourceforge.net<sqlmap-users@lists.sourceforge.net>
>> >
>> >
>> <mailto:sqlmap-users@lists.**sourceforge.net<sqlmap-users@lists.sourceforge.net>
>>
>>
>> <mailto:sqlmap-users@lists.**sourceforge.net<sqlmap-users@lists.sourceforge.net>
>> >>
>> >
>> https://lists.sourceforge.net/**lists/listinfo/sqlmap-users<https://lists.sourceforge.net/lists/listinfo/sqlmap-users>
>> >
>> >
>> >
>> >
>> > --
>> > Miroslav Stampar
>> > http://about.me/stamparm
>>
>>
>> ------------------------------**------------------------------**
>> ------------------
>> Own the Future-Intel(R) Level Up Game Demo Contest 2013
>> Rise to greatness in Intel's independent game demo contest. Compete
>> for recognition, cash, and the chance to get your game on Steam.
>> $5K grand prize plus 10 genre and skill prizes. Submit your demo
>> by 6/6/13.
>> http://altfarm.mediaplex.com/**ad/ck/12124-176961-30367-2<http://altfarm.mediaplex.com/ad/ck/12124-176961-30367-2>
>> ______________________________**_________________
>> sqlmap-users mailing list
>> sqlmap-users@lists.**sourceforge.net<sqlmap-users@lists.sourceforge.net>
>>
>> <mailto:sqlmap-users@lists.**sourceforge.net<sqlmap-users@lists.sourceforge.net>
>> >
>>
>> https://lists.sourceforge.net/**lists/listinfo/sqlmap-users<https://lists.sourceforge.net/lists/listinfo/sqlmap-users>
>>
>>
>>
>
------------------------------------------------------------------------------
Own the Future-Intel(R) Level Up Game Demo Contest 2013
Rise to greatness in Intel's independent game demo contest. Compete
for recognition, cash, and the chance to get your game on Steam.
$5K grand prize plus 10 genre and skill prizes. Submit your demo
by 6/6/13. http://altfarm.mediaplex.com/ad/ck/12124-176961-30367-2
_______________________________________________
sqlmap-users mailing list
sqlmap-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/sqlmap-users
