It should be implemented now.
Please update to the latest revision.
Kind regards,
Miroslav Stampar
On Tue, Feb 25, 2014 at 5:20 PM, Miroslav Stampar <
miroslav.stam...@gmail.com> wrote:
> I'll see what can be done tomorrow. Most probably I'll put a support for
> this.
>
> Bye
> On Feb 25, 2014 5:03 PM, "Jonathon Brenner (jobrenne)" <jobre...@cisco.com>
> wrote:
>
>> To be fair, I frequently see developers use all kinds of crazy
>> non-standard JSON "formats." These behaviors are usually indicative of
>> poorly developed code that is ripe for exploitation.
>>
>> When I need to deal with something like this, I manually reformat the
>> request into something that sqlmap can deal with. Then I write a simple
>> burp extension (or if I'm luckily, use a proxy match and replace rule) to
>> reformat the request into the form that the application expects and proxy
>> sqlmap's traffic through burp.
>>
>> --
>> Jonathon Brenner
>>
>> .:|:.:|:.
>> Cisco
>>
>> From: Miroslav Stampar <miroslav.stam...@gmail.com>
>> Date: Monday, February 24, 2014 4:52 PM
>> To: "louis.nad...@bentley.com" <louis.nad...@bentley.com>
>> Cc: SqlMap List <sqlmap-users@lists.sourceforge.net>
>> Subject: Re: [sqlmap-users] Trouble with "json" like data
>>
>> Dear Louis.
>>
>> From when are JSON string values enclosed with single quotes?
>>
>> Please go to the: http://www.json.org/ and study the official JSON
>> forms/structures.
>>
>> Kind regards,
>> Miroslav Stampar
>>
>>
>> On Mon, Feb 24, 2014 at 8:29 PM, <louis.nad...@bentley.com> wrote:
>>
>>> Hi,
>>>
>>>
>>>
>>> I saw a couple messages saying sqlmap should support json post data now.
>>> However, I'm having trouble with a pretty simple payload. I'm using the
>>> following request that I extracted from Burp and censored a bit :
>>>
>>>
>>>
>>> POST /SomeUrl/ HTTP/1.1
>>>
>>> Host: www.SomeUrl.org.uk
>>>
>>> Proxy-Connection: keep-alive
>>>
>>> Content-Length: 28
>>>
>>> Accept: application/json, text/javascript, */*; q=0.01
>>>
>>> Origin: http://www. SomeUrl.org.uk
>>>
>>> X-Requested-With: XMLHttpRequest
>>>
>>> User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36
>>> (KHTML, like Gecko) Chrome/33.0.1750.117 Safari/537.36
>>>
>>> Content-Type: application/json; charset=UTF-8
>>>
>>> Referer: http://www. SomeUrl.org.uk/
>>>
>>> Accept-Encoding: gzip,deflate,sdch
>>>
>>> Accept-Language: en-US,en;q=0.8,fr-CA;q=0.6,fr;q=0.4
>>>
>>> Cookie: SomeCookies
>>>
>>> Connection: close
>>>
>>>
>>>
>>> {'address':'peanut'}
>>>
>>>
>>>
>>> I tried using "sqlmap -r request" or "sqlmap -r request -p address" or
>>> with -p "peanut". I also tried adding $$ before and after peanut and trying
>>> with -sufix and -prefix to no avail.
>>>
>>>
>>>
>>> I also tried a full command line without using the raw request like this
>>> (and multiple variant) :
>>>
>>>
>>>
>>> python sqlmap.py -u "http://www.someurl.co.uk"; --data
>>> "{'address':'$peanut$'}" --cookie="somecookies" --prefix="$" --suffix="$"
>>>
>>>
>>>
>>> Whatever I'm doing, I'm ending up with a message like :
>>>
>>>
>>>
>>> [14:27:08] [INFO] target URL is stable
>>>
>>> [14:27:08] [CRITICAL] no parameter(s) found for testing in the provided
>>> data (e.g. GET parameter 'id' in 'www.site.com/index.php?id=1')
>>>
>>>
>>>
>>> Or
>>>
>>>
>>>
>>> [14:27:47] [INFO] parsing HTTP request from 'requestFromBurp'
>>>
>>> [14:27:47] [CRITICAL] all testable parameters you provided are not
>>> present within the given request data
>>>
>>>
>>>
>>> I tried sqlmap/1.0-dev out of Kali linux and also downloaded the
>>> nightlies with GIT.
>>>
>>>
>>>
>>> Can you help me ?
>>>
>>>
>>>
>>> Thanks
>>>
>>>
>>>
>>> Louis
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>> ------------------------------------------------------------------------------
>>> Flow-based real-time traffic analytics software. Cisco certified tool.
>>> Monitor traffic, SLAs, QoS, Medianet, WAAS etc. with NetFlow Analyzer
>>> Customize your own dashboards, set traffic alerts and generate reports.
>>> Network behavioral analysis & security monitoring. All-in-one tool.
>>>
>>> http://pubads.g.doubleclick.net/gampad/clk?id=126839071&iu=/4140/ostg.clktrk
>>> _______________________________________________
>>> sqlmap-users mailing list
>>> sqlmap-users@lists.sourceforge.net
>>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>>>
>>>
>>
>>
>> --
>> Miroslav Stampar
>> http://about.me/stamparm
>>
>
--
Miroslav Stampar
http://about.me/stamparm
------------------------------------------------------------------------------
Flow-based real-time traffic analytics software. Cisco certified tool.
Monitor traffic, SLAs, QoS, Medianet, WAAS etc. with NetFlow Analyzer
Customize your own dashboards, set traffic alerts and generate reports.
Network behavioral analysis & security monitoring. All-in-one tool.
http://pubads.g.doubleclick.net/gampad/clk?id=126839071&iu=/4140/ostg.clktrk
_______________________________________________
sqlmap-users mailing list
sqlmap-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/sqlmap-users
