Its working fine now, thanks :)
From: Miroslav Stampar [mailto:miroslav.stam...@gmail.com]
Sent: Wednesday, February 26, 2014 2:57 AM
To: Jonathon Brenner, (jobrenne)
Cc: Louis Nadeau; SqlMap List
Subject: Re: [sqlmap-users] Trouble with "json" like data
It should be implemented now.
Please update to the latest revision.
Kind regards,
Miroslav Stampar
On Tue, Feb 25, 2014 at 5:20 PM, Miroslav Stampar
<miroslav.stam...@gmail.com<mailto:miroslav.stam...@gmail.com>> wrote:
I'll see what can be done tomorrow. Most probably I'll put a support for this.
Bye
On Feb 25, 2014 5:03 PM, "Jonathon Brenner (jobrenne)"
<jobre...@cisco.com<mailto:jobre...@cisco.com>> wrote:
To be fair, I frequently see developers use all kinds of crazy non-standard
JSON "formats." These behaviors are usually indicative of poorly developed code
that is ripe for exploitation.
When I need to deal with something like this, I manually reformat the request
into something that sqlmap can deal with. Then I write a simple burp extension
(or if I'm luckily, use a proxy match and replace rule) to reformat the request
into the form that the application expects and proxy sqlmap's traffic through
burp.
--
Jonathon Brenner
.:|:.:|:.
Cisco
From: Miroslav Stampar
<miroslav.stam...@gmail.com<mailto:miroslav.stam...@gmail.com>>
Date: Monday, February 24, 2014 4:52 PM
To: "louis.nad...@bentley.com<mailto:louis.nad...@bentley.com>"
<louis.nad...@bentley.com<mailto:louis.nad...@bentley.com>>
Cc: SqlMap List
<sqlmap-users@lists.sourceforge.net<mailto:sqlmap-users@lists.sourceforge.net>>
Subject: Re: [sqlmap-users] Trouble with "json" like data
Dear Louis.
>From when are JSON string values enclosed with single quotes?
Please go to the: http://www.json.org/ and study the official JSON
forms/structures.
Kind regards,
Miroslav Stampar
On Mon, Feb 24, 2014 at 8:29 PM,
<louis.nad...@bentley.com<mailto:louis.nad...@bentley.com>> wrote:
Hi,
I saw a couple messages saying sqlmap should support json post data now.
However, I'm having trouble with a pretty simple payload. I'm using the
following request that I extracted from Burp and censored a bit :
POST /SomeUrl/ HTTP/1.1
Host: www.SomeUrl.org.uk<http://org.uk>
Proxy-Connection: keep-alive
Content-Length: 28
Accept: application/json, text/javascript, */*; q=0.01
Origin: http://www. SomeUrl.org.uk<http://org.uk>
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like
Gecko) Chrome/33.0.1750.117 Safari/537.36
Content-Type: application/json; charset=UTF-8
Referer: http://www. SomeUrl.org.uk/<http://org.uk/>
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8,fr-CA;q=0.6,fr;q=0.4
Cookie: SomeCookies
Connection: close
{'address':'peanut'}
I tried using "sqlmap -r request" or "sqlmap -r request -p address" or with -p
"peanut". I also tried adding $$ before and after peanut and trying with -sufix
and -prefix to no avail.
I also tried a full command line without using the raw request like this (and
multiple variant) :
python sqlmap.py -u "http://www.someurl.co.uk"; --data "{'address':'$peanut$'}"
--cookie="somecookies" --prefix="$" --suffix="$"
Whatever I'm doing, I'm ending up with a message like :
[14:27:08] [INFO] target URL is stable
[14:27:08] [CRITICAL] no parameter(s) found for testing in the provided data
(e.g. GET parameter 'id' in
'www.site.com/index.php?id=1<http://www.site.com/index.php?id=1>')
Or
[14:27:47] [INFO] parsing HTTP request from 'requestFromBurp'
[14:27:47] [CRITICAL] all testable parameters you provided are not present
within the given request data
I tried sqlmap/1.0-dev out of Kali linux and also downloaded the nightlies with
GIT.
Can you help me ?
Thanks
Louis
------------------------------------------------------------------------------
Flow-based real-time traffic analytics software. Cisco certified tool.
Monitor traffic, SLAs, QoS, Medianet, WAAS etc. with NetFlow Analyzer
Customize your own dashboards, set traffic alerts and generate reports.
Network behavioral analysis & security monitoring. All-in-one tool.
http://pubads.g.doubleclick.net/gampad/clk?id=126839071&iu=/4140/ostg.clktrk
_______________________________________________
sqlmap-users mailing list
sqlmap-users@lists.sourceforge.net<mailto:sqlmap-users@lists.sourceforge.net>
https://lists.sourceforge.net/lists/listinfo/sqlmap-users
--
Miroslav Stampar
http://about.me/stamparm
--
Miroslav Stampar
http://about.me/stamparm
------------------------------------------------------------------------------
Flow-based real-time traffic analytics software. Cisco certified tool.
Monitor traffic, SLAs, QoS, Medianet, WAAS etc. with NetFlow Analyzer
Customize your own dashboards, set traffic alerts and generate reports.
Network behavioral analysis & security monitoring. All-in-one tool.
http://pubads.g.doubleclick.net/gampad/clk?id=126839071&iu=/4140/ostg.clktrk
_______________________________________________
sqlmap-users mailing list
sqlmap-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/sqlmap-users
