Yes, I can, but it will have to be when I get home this evening. FWIW, I am interacting with the sqlmap API, so not passing it a request file. I am building the SOAP XML programmatically, then setting it as the 'data' in the options (along with headers to specify text/xml and SOAPAction), with skipUrlEncode.
On Mon, Oct 19, 2015 at 9:02 AM, Miroslav Stampar < miroslav.stam...@gmail.com> wrote: > Hi. > > But sqlmap should automatically skip the url encoding of such request > bodies if the content-type has been set to the proper value from start (or > if there was no content-type from the beginning). > > Can you please send a sample request file and/or used sqlmap options. > > Bye > > On Mon, Oct 19, 2015 at 4:00 PM, Brandon Perry <bperry.volat...@gmail.com> > wrote: > >> The actual request is a SOAP payload, which requires a content type of >> XML, and no URL encoding (which, if performed, returns a 50x). >> >> On Mon, Oct 19, 2015 at 6:37 AM, Miroslav Stampar < >> miroslav.stam...@gmail.com> wrote: >> >>> Hi Brandon. >>> >>> Sorry for late reply. It goes like this. >>> >>> Your header value for content-type should be propagated/used, even in >>> this case, in all cases THAN one. >>> >>> If you use --skip-urlencode and you (or your request file) state that >>> the content-type should be "urlencoded" sqlmap forces switch to either the >>> "recognized" (e.g. json, xml,...) or the "plain". So, that line that you've >>> pinpointed will be triggered only in described situation. >>> >>> Can you please describe what are you trying to accomplish? I believe >>> that you are trying to leave some parts (non-payload) url encoded, while >>> you want payload to not be url encoded. >>> >>> Bye >>> >>> On Sun, Oct 18, 2015 at 11:35 AM, Miroslav Stampar < >>> miroslav.stam...@gmail.com> wrote: >>> >>>> Will patch it later today. >>>> >>>> Bye >>>> On Oct 17, 2015 04:32, "Brandon Perry" <bperry.volat...@gmail.com> >>>> wrote: >>>> >>>>> I tracked it down to ./lib/request/connect.py, line 726. >>>>> >>>>> contentType = POST_HINT_CONTENT_TYPES.get(kb.postHint, >>>>> PLAIN_TEXT_CONTENT_TYPE) >>>>> >>>>> I am specifying a content type explicitly with —headers, so commenting >>>>> this line out allowed sqlmap to detect the injections (the server returns >>>>> 50x if the content type isn't right). >>>>> >>>>> Not sure what the correct solution is to this, as I understand the >>>>> intent. Would this be more useful as a github issue? >>>>> >>>>> ------------------------------------------------------------------------------ >>>>> _______________________________________________ >>>>> sqlmap-users mailing list >>>>> sqlmap-users@lists.sourceforge.net >>>>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >>>>> >>>> >>> >>> >>> -- >>> Miroslav Stampar >>> http://about.me/stamparm >>> >> >> >> >> -- >> http://volatile-minds.blogspot.com -- blog >> http://www.volatileminds.net -- website >> > > > > -- > Miroslav Stampar > http://about.me/stamparm > -- http://volatile-minds.blogspot.com -- blog http://www.volatileminds.net -- website
------------------------------------------------------------------------------
_______________________________________________ sqlmap-users mailing list sqlmap-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/sqlmap-users
