I'll see what can be done tomorrow. Most probably I'll put a support for
this.
Bye
On Feb 25, 2014 5:03 PM, "Jonathon Brenner (jobrenne)" <jobre...@cisco.com>
wrote:
> To be fair, I frequently see developers use all kinds of crazy
> non-standard JSON "formats." These behaviors are usually indicative of
> poorly developed code that is ripe for exploitation.
>
> When I need to deal with something like this, I manually reformat the
> request into something that sqlmap can deal with. Then I write a simple
> burp extension (or if I'm luckily, use a proxy match and replace rule) to
> reformat the request into the form that the application expects and proxy
> sqlmap's traffic through burp.
>
> --
> Jonathon Brenner
>
> .:|:.:|:.
> Cisco
>
> From: Miroslav Stampar <miroslav.stam...@gmail.com>
> Date: Monday, February 24, 2014 4:52 PM
> To: "louis.nad...@bentley.com" <louis.nad...@bentley.com>
> Cc: SqlMap List <sqlmap-users@lists.sourceforge.net>
> Subject: Re: [sqlmap-users] Trouble with "json" like data
>
> Dear Louis.
>
> From when are JSON string values enclosed with single quotes?
>
> Please go to the: http://www.json.org/ and study the official JSON
> forms/structures.
>
> Kind regards,
> Miroslav Stampar
>
>
> On Mon, Feb 24, 2014 at 8:29 PM, <louis.nad...@bentley.com> wrote:
>
>> Hi,
>>
>>
>>
>> I saw a couple messages saying sqlmap should support json post data now.
>> However, I'm having trouble with a pretty simple payload. I'm using the
>> following request that I extracted from Burp and censored a bit :
>>
>>
>>
>> POST /SomeUrl/ HTTP/1.1
>>
>> Host: www.SomeUrl.org.uk
>>
>> Proxy-Connection: keep-alive
>>
>> Content-Length: 28
>>
>> Accept: application/json, text/javascript, */*; q=0.01
>>
>> Origin: http://www. SomeUrl.org.uk
>>
>> X-Requested-With: XMLHttpRequest
>>
>> User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36
>> (KHTML, like Gecko) Chrome/33.0.1750.117 Safari/537.36
>>
>> Content-Type: application/json; charset=UTF-8
>>
>> Referer: http://www. SomeUrl.org.uk/
>>
>> Accept-Encoding: gzip,deflate,sdch
>>
>> Accept-Language: en-US,en;q=0.8,fr-CA;q=0.6,fr;q=0.4
>>
>> Cookie: SomeCookies
>>
>> Connection: close
>>
>>
>>
>> {'address':'peanut'}
>>
>>
>>
>> I tried using "sqlmap -r request" or "sqlmap -r request -p address" or
>> with -p "peanut". I also tried adding $$ before and after peanut and trying
>> with -sufix and -prefix to no avail.
>>
>>
>>
>> I also tried a full command line without using the raw request like this
>> (and multiple variant) :
>>
>>
>>
>> python sqlmap.py -u "http://www.someurl.co.uk"; --data
>> "{'address':'$peanut$'}" --cookie="somecookies" --prefix="$" --suffix="$"
>>
>>
>>
>> Whatever I'm doing, I'm ending up with a message like :
>>
>>
>>
>> [14:27:08] [INFO] target URL is stable
>>
>> [14:27:08] [CRITICAL] no parameter(s) found for testing in the provided
>> data (e.g. GET parameter 'id' in 'www.site.com/index.php?id=1')
>>
>>
>>
>> Or
>>
>>
>>
>> [14:27:47] [INFO] parsing HTTP request from 'requestFromBurp'
>>
>> [14:27:47] [CRITICAL] all testable parameters you provided are not
>> present within the given request data
>>
>>
>>
>> I tried sqlmap/1.0-dev out of Kali linux and also downloaded the
>> nightlies with GIT.
>>
>>
>>
>> Can you help me ?
>>
>>
>>
>> Thanks
>>
>>
>>
>> Louis
>>
>>
>>
>>
>>
>>
>>
>>
>> ------------------------------------------------------------------------------
>> Flow-based real-time traffic analytics software. Cisco certified tool.
>> Monitor traffic, SLAs, QoS, Medianet, WAAS etc. with NetFlow Analyzer
>> Customize your own dashboards, set traffic alerts and generate reports.
>> Network behavioral analysis & security monitoring. All-in-one tool.
>>
>> http://pubads.g.doubleclick.net/gampad/clk?id=126839071&iu=/4140/ostg.clktrk
>> _______________________________________________
>> sqlmap-users mailing list
>> sqlmap-users@lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>>
>>
>
>
> --
> Miroslav Stampar
> http://about.me/stamparm
>
------------------------------------------------------------------------------
Flow-based real-time traffic analytics software. Cisco certified tool.
Monitor traffic, SLAs, QoS, Medianet, WAAS etc. with NetFlow Analyzer
Customize your own dashboards, set traffic alerts and generate reports.
Network behavioral analysis & security monitoring. All-in-one tool.
http://pubads.g.doubleclick.net/gampad/clk?id=126839071&iu=/4140/ostg.clktrk
_______________________________________________
sqlmap-users mailing list
sqlmap-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/sqlmap-users
