Ok, let's have for example following URL: http://example.com/?name1=value1&name2=value2&name3=value3
If I do something like this: sqlmap -u http://example.com/?name1=value1&name2=value2&name3=value3 sqlmap wil try inject payloads into parameter values, server headers, cookies and so on, but NOT into parameter names. Proposed parameter should work similar to this: sqlmap --inject-names -u http://example.com/?name1=value1&name2=value2&name3=value3 And sqlmap will AUTOMATICALLY try to inject payload also into parameter names. Why I want this parameter instead of manually inserting '*' symbol? Because I often use sqlmap in conjunction with burp, where I take burp's log and give it to sqlmap for testing (via -l parameter). In this scenario, it would be painful to insert '*' after each parameter name. I hope I expressed it clear:) Best regards and happy easter Karel Marhoul On 31.3.2013 0:11, mitchell wrote: > So you have an option to inject wherever you want, but you want another > option to inject "inside parameter names"? Maybe, I am missing something > here... > > ~~ > # m. > > > On Thu, Mar 28, 2013 at 8:06 PM, Karel Marhoul <rezorci...@seznam.cz > <mailto:rezorci...@seznam.cz>> wrote: > > Hello, > > yes '*' works, but I have to put it behind parameter's name manually. I > wish there was an option to tell sqlmap to automatically try SQLi not > only inside parameter values but also inside parameter names. Is is > possible to add such functionality? > > Kind Regards > > Karel Marhoul > > On 28.3.2013 15:41, Miroslav Stampar wrote: > > Hi. > > > > Just use custom injection mark character. > > > > For example: > > > > python sqlmap.py -u "http://www.target.com/vuln.php?id*=1"; > > > > will try to inject into the parameter name id. > > > > Kind regards, > > Miroslav Stampar > > > > On Wed, Mar 27, 2013 at 11:02 AM, a a <rezorci...@seznam.cz > <mailto:rezorci...@seznam.cz> > > <mailto:rezorci...@seznam.cz <mailto:rezorci...@seznam.cz>>> wrote: > > > > Hello, > > > > During one assessment I have found the web application that is > > vulnerable to > > the SQL injection not in parameter values but in parameter > names itself. > > > > This is something sqlmap is unable to find. Is it possible to > add such > > functionality (e.g. by optional parameter) to sqlmap? > > > > Regards > > > > Karel Marhoul > > > > > > ------------------------------------------------------------------------------ > > Own the Future-Intel® Level Up Game Demo Contest 2013 > > Rise to greatness in Intel's independent game demo contest. > > Compete for recognition, cash, and the chance to get your game > > on Steam. $5K grand prize plus 10 genre and skill prizes. > > Submit your demo by 6/6/13. http://p.sf.net/sfu/intel_levelupd2d > > _______________________________________________ > > sqlmap-users mailing list > > sqlmap-users@lists.sourceforge.net > <mailto:sqlmap-users@lists.sourceforge.net> > > <mailto:sqlmap-users@lists.sourceforge.net > <mailto:sqlmap-users@lists.sourceforge.net>> > > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > > > > > > > > > > -- > > Miroslav Stampar > > http://about.me/stamparm > > > > ------------------------------------------------------------------------------ > Own the Future-Intel(R) Level Up Game Demo Contest 2013 > Rise to greatness in Intel's independent game demo contest. Compete > for recognition, cash, and the chance to get your game on Steam. > $5K grand prize plus 10 genre and skill prizes. Submit your demo > by 6/6/13. http://altfarm.mediaplex.com/ad/ck/12124-176961-30367-2 > _______________________________________________ > sqlmap-users mailing list > sqlmap-users@lists.sourceforge.net > <mailto:sqlmap-users@lists.sourceforge.net> > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > > ------------------------------------------------------------------------------ Own the Future-Intel(R) Level Up Game Demo Contest 2013 Rise to greatness in Intel's independent game demo contest. Compete for recognition, cash, and the chance to get your game on Steam. $5K grand prize plus 10 genre and skill prizes. Submit your demo by 6/6/13. http://altfarm.mediaplex.com/ad/ck/12124-176961-30367-2 _______________________________________________ sqlmap-users mailing list sqlmap-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/sqlmap-users
