Hi Karel.
This is one of those requests that are in need of a new option/switch among
hundreds of others, where we need to reject because of an easy around
solution. I would not say a thing if this would be used in decent
percentage of runs.
Kind regards,
Miroslav Stampar
On Mar 31, 2013 9:58 PM, "Karel Marhoul" <rezorci...@seznam.cz> wrote:
> Ok, let's have for example following URL:
>
> http://example.com/?name1=value1&name2=value2&name3=value3
>
> If I do something like this:
>
> sqlmap -u http://example.com/?name1=value1&name2=value2&name3=value3
>
> sqlmap wil try inject payloads into parameter values, server headers,
> cookies and so on, but NOT into parameter names.
>
> Proposed parameter should work similar to this:
>
> sqlmap --inject-names -u
> http://example.com/?name1=value1&name2=value2&name3=value3
>
> And sqlmap will AUTOMATICALLY try to inject payload also into parameter
> names.
>
> Why I want this parameter instead of manually inserting '*' symbol?
> Because I often use sqlmap in conjunction with burp, where I take burp's
> log and give it to sqlmap for testing (via -l parameter). In this
> scenario, it would be painful to insert '*' after each parameter name.
>
> I hope I expressed it clear:)
>
> Best regards and happy easter
>
> Karel Marhoul
>
> On 31.3.2013 0:11, mitchell wrote:
> > So you have an option to inject wherever you want, but you want another
> > option to inject "inside parameter names"? Maybe, I am missing something
> > here...
> >
> > ~~
> > # m.
> >
> >
> > On Thu, Mar 28, 2013 at 8:06 PM, Karel Marhoul <rezorci...@seznam.cz
> > <mailto:rezorci...@seznam.cz>> wrote:
> >
> > Hello,
> >
> > yes '*' works, but I have to put it behind parameter's name
> manually. I
> > wish there was an option to tell sqlmap to automatically try SQLi not
> > only inside parameter values but also inside parameter names. Is is
> > possible to add such functionality?
> >
> > Kind Regards
> >
> > Karel Marhoul
> >
> > On 28.3.2013 15:41, Miroslav Stampar wrote:
> > > Hi.
> > >
> > > Just use custom injection mark character.
> > >
> > > For example:
> > >
> > > python sqlmap.py -u "http://www.target.com/vuln.php?id*=1";
> > >
> > > will try to inject into the parameter name id.
> > >
> > > Kind regards,
> > > Miroslav Stampar
> > >
> > > On Wed, Mar 27, 2013 at 11:02 AM, a a <rezorci...@seznam.cz
> > <mailto:rezorci...@seznam.cz>
> > > <mailto:rezorci...@seznam.cz <mailto:rezorci...@seznam.cz>>>
> wrote:
> > >
> > > Hello,
> > >
> > > During one assessment I have found the web application that is
> > > vulnerable to
> > > the SQL injection not in parameter values but in parameter
> > names itself.
> > >
> > > This is something sqlmap is unable to find. Is it possible to
> > add such
> > > functionality (e.g. by optional parameter) to sqlmap?
> > >
> > > Regards
> > >
> > > Karel Marhoul
> > >
> > >
> >
> ------------------------------------------------------------------------------
> > > Own the Future-Intel® Level Up Game Demo Contest 2013
> > > Rise to greatness in Intel's independent game demo contest.
> > > Compete for recognition, cash, and the chance to get your game
> > > on Steam. $5K grand prize plus 10 genre and skill prizes.
> > > Submit your demo by 6/6/13.
> http://p.sf.net/sfu/intel_levelupd2d
> > > _______________________________________________
> > > sqlmap-users mailing list
> > > sqlmap-users@lists.sourceforge.net
> > <mailto:sqlmap-users@lists.sourceforge.net>
> > > <mailto:sqlmap-users@lists.sourceforge.net
> > <mailto:sqlmap-users@lists.sourceforge.net>>
> > > https://lists.sourceforge.net/lists/listinfo/sqlmap-users
> > >
> > >
> > >
> > >
> > > --
> > > Miroslav Stampar
> > > http://about.me/stamparm
> >
> >
> >
> ------------------------------------------------------------------------------
> > Own the Future-Intel(R) Level Up Game Demo Contest 2013
> > Rise to greatness in Intel's independent game demo contest. Compete
> > for recognition, cash, and the chance to get your game on Steam.
> > $5K grand prize plus 10 genre and skill prizes. Submit your demo
> > by 6/6/13. http://altfarm.mediaplex.com/ad/ck/12124-176961-30367-2
> > _______________________________________________
> > sqlmap-users mailing list
> > sqlmap-users@lists.sourceforge.net
> > <mailto:sqlmap-users@lists.sourceforge.net>
> > https://lists.sourceforge.net/lists/listinfo/sqlmap-users
> >
> >
>
>
>
> ------------------------------------------------------------------------------
> Own the Future-Intel(R) Level Up Game Demo Contest 2013
> Rise to greatness in Intel's independent game demo contest. Compete
> for recognition, cash, and the chance to get your game on Steam.
> $5K grand prize plus 10 genre and skill prizes. Submit your demo
> by 6/6/13. http://altfarm.mediaplex.com/ad/ck/12124-176961-30367-2
> _______________________________________________
> sqlmap-users mailing list
> sqlmap-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>
------------------------------------------------------------------------------
Own the Future-Intel(R) Level Up Game Demo Contest 2013
Rise to greatness in Intel's independent game demo contest. Compete
for recognition, cash, and the chance to get your game on Steam.
$5K grand prize plus 10 genre and skill prizes. Submit your demo
by 6/6/13. http://altfarm.mediaplex.com/ad/ck/12124-176961-30367-2
_______________________________________________
sqlmap-users mailing list
sqlmap-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/sqlmap-users
