I really can't enforce this behavior. Waiting for your sample. Bye
On Mon, Oct 19, 2015 at 4:04 PM, Brandon Perry <bperry.volat...@gmail.com> wrote: > Yes, I can, but it will have to be when I get home this evening. > > FWIW, I am interacting with the sqlmap API, so not passing it a request > file. I am building the SOAP XML programmatically, then setting it as the > 'data' in the options (along with headers to specify text/xml and > SOAPAction), with skipUrlEncode. > > On Mon, Oct 19, 2015 at 9:02 AM, Miroslav Stampar < > miroslav.stam...@gmail.com> wrote: > >> Hi. >> >> But sqlmap should automatically skip the url encoding of such request >> bodies if the content-type has been set to the proper value from start (or >> if there was no content-type from the beginning). >> >> Can you please send a sample request file and/or used sqlmap options. >> >> Bye >> >> On Mon, Oct 19, 2015 at 4:00 PM, Brandon Perry <bperry.volat...@gmail.com >> > wrote: >> >>> The actual request is a SOAP payload, which requires a content type of >>> XML, and no URL encoding (which, if performed, returns a 50x). >>> >>> On Mon, Oct 19, 2015 at 6:37 AM, Miroslav Stampar < >>> miroslav.stam...@gmail.com> wrote: >>> >>>> Hi Brandon. >>>> >>>> Sorry for late reply. It goes like this. >>>> >>>> Your header value for content-type should be propagated/used, even in >>>> this case, in all cases THAN one. >>>> >>>> If you use --skip-urlencode and you (or your request file) state that >>>> the content-type should be "urlencoded" sqlmap forces switch to either the >>>> "recognized" (e.g. json, xml,...) or the "plain". So, that line that you've >>>> pinpointed will be triggered only in described situation. >>>> >>>> Can you please describe what are you trying to accomplish? I believe >>>> that you are trying to leave some parts (non-payload) url encoded, while >>>> you want payload to not be url encoded. >>>> >>>> Bye >>>> >>>> On Sun, Oct 18, 2015 at 11:35 AM, Miroslav Stampar < >>>> miroslav.stam...@gmail.com> wrote: >>>> >>>>> Will patch it later today. >>>>> >>>>> Bye >>>>> On Oct 17, 2015 04:32, "Brandon Perry" <bperry.volat...@gmail.com> >>>>> wrote: >>>>> >>>>>> I tracked it down to ./lib/request/connect.py, line 726. >>>>>> >>>>>> contentType = POST_HINT_CONTENT_TYPES.get(kb.postHint, >>>>>> PLAIN_TEXT_CONTENT_TYPE) >>>>>> >>>>>> I am specifying a content type explicitly with —headers, so >>>>>> commenting this line out allowed sqlmap to detect the injections (the >>>>>> server returns 50x if the content type isn't right). >>>>>> >>>>>> Not sure what the correct solution is to this, as I understand the >>>>>> intent. Would this be more useful as a github issue? >>>>>> >>>>>> ------------------------------------------------------------------------------ >>>>>> _______________________________________________ >>>>>> sqlmap-users mailing list >>>>>> sqlmap-users@lists.sourceforge.net >>>>>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >>>>>> >>>>> >>>> >>>> >>>> -- >>>> Miroslav Stampar >>>> http://about.me/stamparm >>>> >>> >>> >>> >>> -- >>> http://volatile-minds.blogspot.com -- blog >>> http://www.volatileminds.net -- website >>> >> >> >> >> -- >> Miroslav Stampar >> http://about.me/stamparm >> > > > > -- > http://volatile-minds.blogspot.com -- blog > http://www.volatileminds.net -- website > -- Miroslav Stampar http://about.me/stamparm
------------------------------------------------------------------------------
_______________________________________________ sqlmap-users mailing list sqlmap-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/sqlmap-users
