FWIW here is an exploit a wrote a long while back that partly abuses a weak AMF endpoint (xxe, not sqli...).
http://packetstormsecurity.com/files/126703/HP-Release-Control-9.20.0000-Build-395-XXE.html However, I distinctly remember having to keep the admin password the same length as my base AMF request (because I was lazy and didn't feel like having to update the integer as well). See the change_admin_password method. I basically base64 encoded the request in order to store the base request, then decoded it and modified it based on what I wanted to do. You could make a few requests with different sized usernames to find the integer that you will need to manipulate during exploitation. On Thu, May 28, 2015 at 1:59 PM, Brandon Perry <bperry.volat...@gmail.com> wrote: > Flex is hard because you have to update the integer that tells flex how > long a string is, unless I am mistaken. > > If not, you could try with the * marker to tell sqlmap exactly where the > injection point is. > > On Thu, May 28, 2015 at 1:21 PM, Christopher Downs < > chris.do...@chromeriver.com> wrote: > >> Good afternoon gents, >> I am a profession penetration tester and have a rather difficult >> injection point for one of my customers. >> >> I can trigger the exception by pausing traffic with burp and inserting >> NULL's into the user | pass via a back end flex call. Is there a way to >> take advantage of sqlmap to inject via flex remoting objects ? >> >> If not I will have to write this myself but I thought I may ask the list >> first. >> >> Thanks. >> Sincerely, >> Christopher M Downs >> >> -- >> [image: Description: Chrome] >> >> Chris Downs | System Administrator >> >> main >> >> 888.781.0088 >> >> email >> >> *chris.do...@chromeriver.com <chris.do...@chromeriver.com>* >> >> web >> >> www.chromeriver.com >> >> >> ------------------------------------------------------------------------------ >> >> _______________________________________________ >> sqlmap-users mailing list >> sqlmap-users@lists.sourceforge.net >> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >> >> > > > -- > http://volatile-minds.blogspot.com -- blog > http://www.volatileminds.net -- website > -- http://volatile-minds.blogspot.com -- blog http://www.volatileminds.net -- website
------------------------------------------------------------------------------
_______________________________________________ sqlmap-users mailing list sqlmap-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/sqlmap-users
