Hi Vojtěch. Can you please update and try it now?
Bye On Mon, Jun 15, 2015 at 11:59 AM, Vojtěch Polášek <krec...@gmail.com> wrote: > Hi, > I am testing an application, which works in this way: > You send a request as a POST request and application returns 302 Found. > Web browser uses location field to send a GET request for updated site. > When I test this with Sqlmap, it asks me whether I want to follow 302 > redirect (I answer yes) and whether I want to resubmit the request to eh > new page (I answer NO). > However, when I look at the generated thraffic file, I can see something > like this: > HTTP request [#1]: > POST /target_url HTTP/1.1 > Accept-language: en-US,en;q=0.5 > Accept-encoding: gzip, deflate > Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 > User-agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:37.0) > Gecko/20100101 Firefox/37.0 > Accept-charset: ISO-8859-15,utf-8;q=0.7,*;q=0.7 > Host: 192.168.56.102:8443 > Cookie: JSESSIONID=538470CD02AD9190BCC92DC434C6C9BD > Pragma: no-cache > Cache-control: no-cache,no-store > Referer: https://192.168.56.102:8443/target_url > Content-type: application/x-www-form-urlencoded > Content-length: 17 > Connection: close > > newState=DISABLED > > HTTP redirect [#1] (302 Found): > Content-length: 0 > Content-language: en-US > Server: Apache-Coyote/1.1 > Connection: close > Location: https://192.168.56.102:8443/target_url > Date: Fri, 12 Jun 2015 15:16:16 GMT > > > ############################################################################ > > HTTP request [#1]: > POST \/target_url HTTP/1.1 > Accept-language: en-US,en;q=0.5 > Accept-encoding: gzip, deflate > Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 > User-agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:37.0) > Gecko/20100101 Firefox/37.0 > Accept-charset: ISO-8859-15,utf-8;q=0.7,*;q=0.7 > Host: 192.168.56.102:8443 > Cookie: JSESSIONID=538470CD02AD9190BCC92DC434C6C9BD > Pragma: no-cache > Cache-control: no-cache,no-store > Referer: https://192.168.56.102:8443/target_url > Content-type: application/x-www-form-urlencoded > Content-length: 17 > Connection: close > > newState=DISABLED > > HTTP response [#1] (200 OK): > Content-language: en-US > Transfer-encoding: chunked > Uri: https://192.168.56.102:8443/redirected_url > Server: Apache-Coyote/1.1 > Connection: close > Date: Fri, 12 Jun 2015 15:16:29 GMT > Content-type: text/html;charset=UTF-8 > > <!DOCTYPE html> > <html> > <head> > etc. > > I have redacted it a but the "target_url" is the same for all requests > and responses. > So I can see that Sqlmap still POSTs the query to the site pointed by > location header instead of just GETting it, although I explicitly denied > that. > Could you please look into this? > Thanks, > Vojta > > > > ------------------------------------------------------------------------------ > _______________________________________________ > sqlmap-users mailing list > sqlmap-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > -- Miroslav Stampar http://about.me/stamparm
------------------------------------------------------------------------------
_______________________________________________ sqlmap-users mailing list sqlmap-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/sqlmap-users
