It was pointed out that I should be URL encoding the *s which removes that
as a problem but it still isn't quite working properly, probably because of
the spaces. Got limited time on this test so going to leave it for now and
will build a lab to look at it properly later.
Robin
On 1 October 2014 09:54, Robin Wood <robin@digi.ninja> wrote:
> I've got the following vulnerable querystring value:
>
> string=the%%22/**/and/**/1=1/**/and/**/%22%%22=%22
>
> Where with 1=1 I get data back, 1=0 is false so no data.
>
> I can't use spaces which is why I've have to go for /**/.
>
> How do I tell sqlmap where the injection point is and to use /**/ instead
> of spaces?
>
> Robin
>
------------------------------------------------------------------------------
Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer
Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports
Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper
Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer
http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/ostg.clktrk
_______________________________________________
sqlmap-users mailing list
sqlmap-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/sqlmap-users
