Either through request file or headers. Otherwise, sqlmap automatically sets it based on recognized type (e.g. application/json for JSON)
Bye On Oct 19, 2015 7:05 PM, "Brandon Perry" <bperry.volat...@gmail.com> wrote: > Just curious, how do you expect a user to set a specific content type? Is > there are argument I am missing, or is --headers the expected way? > > On Mon, Oct 19, 2015 at 9:41 AM, Miroslav Stampar < > miroslav.stam...@gmail.com> wrote: > >> I really can't enforce this behavior. Waiting for your sample. >> >> Bye >> >> On Mon, Oct 19, 2015 at 4:04 PM, Brandon Perry <bperry.volat...@gmail.com >> > wrote: >> >>> Yes, I can, but it will have to be when I get home this evening. >>> >>> FWIW, I am interacting with the sqlmap API, so not passing it a request >>> file. I am building the SOAP XML programmatically, then setting it as the >>> 'data' in the options (along with headers to specify text/xml and >>> SOAPAction), with skipUrlEncode. >>> >>> On Mon, Oct 19, 2015 at 9:02 AM, Miroslav Stampar < >>> miroslav.stam...@gmail.com> wrote: >>> >>>> Hi. >>>> >>>> But sqlmap should automatically skip the url encoding of such request >>>> bodies if the content-type has been set to the proper value from start (or >>>> if there was no content-type from the beginning). >>>> >>>> Can you please send a sample request file and/or used sqlmap options. >>>> >>>> Bye >>>> >>>> On Mon, Oct 19, 2015 at 4:00 PM, Brandon Perry < >>>> bperry.volat...@gmail.com> wrote: >>>> >>>>> The actual request is a SOAP payload, which requires a content type of >>>>> XML, and no URL encoding (which, if performed, returns a 50x). >>>>> >>>>> On Mon, Oct 19, 2015 at 6:37 AM, Miroslav Stampar < >>>>> miroslav.stam...@gmail.com> wrote: >>>>> >>>>>> Hi Brandon. >>>>>> >>>>>> Sorry for late reply. It goes like this. >>>>>> >>>>>> Your header value for content-type should be propagated/used, even in >>>>>> this case, in all cases THAN one. >>>>>> >>>>>> If you use --skip-urlencode and you (or your request file) state that >>>>>> the content-type should be "urlencoded" sqlmap forces switch to either >>>>>> the >>>>>> "recognized" (e.g. json, xml,...) or the "plain". So, that line that >>>>>> you've >>>>>> pinpointed will be triggered only in described situation. >>>>>> >>>>>> Can you please describe what are you trying to accomplish? I believe >>>>>> that you are trying to leave some parts (non-payload) url encoded, while >>>>>> you want payload to not be url encoded. >>>>>> >>>>>> Bye >>>>>> >>>>>> On Sun, Oct 18, 2015 at 11:35 AM, Miroslav Stampar < >>>>>> miroslav.stam...@gmail.com> wrote: >>>>>> >>>>>>> Will patch it later today. >>>>>>> >>>>>>> Bye >>>>>>> On Oct 17, 2015 04:32, "Brandon Perry" <bperry.volat...@gmail.com> >>>>>>> wrote: >>>>>>> >>>>>>>> I tracked it down to ./lib/request/connect.py, line 726. >>>>>>>> >>>>>>>> contentType = POST_HINT_CONTENT_TYPES.get(kb.postHint, >>>>>>>> PLAIN_TEXT_CONTENT_TYPE) >>>>>>>> >>>>>>>> I am specifying a content type explicitly with —headers, so >>>>>>>> commenting this line out allowed sqlmap to detect the injections (the >>>>>>>> server returns 50x if the content type isn't right). >>>>>>>> >>>>>>>> Not sure what the correct solution is to this, as I understand the >>>>>>>> intent. Would this be more useful as a github issue? >>>>>>>> >>>>>>>> ------------------------------------------------------------------------------ >>>>>>>> _______________________________________________ >>>>>>>> sqlmap-users mailing list >>>>>>>> sqlmap-users@lists.sourceforge.net >>>>>>>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >>>>>>>> >>>>>>> >>>>>> >>>>>> >>>>>> -- >>>>>> Miroslav Stampar >>>>>> http://about.me/stamparm >>>>>> >>>>> >>>>> >>>>> >>>>> -- >>>>> http://volatile-minds.blogspot.com -- blog >>>>> http://www.volatileminds.net -- website >>>>> >>>> >>>> >>>> >>>> -- >>>> Miroslav Stampar >>>> http://about.me/stamparm >>>> >>> >>> >>> >>> -- >>> http://volatile-minds.blogspot.com -- blog >>> http://www.volatileminds.net -- website >>> >> >> >> >> -- >> Miroslav Stampar >> http://about.me/stamparm >> > > > > -- > http://volatile-minds.blogspot.com -- blog > http://www.volatileminds.net -- website >
------------------------------------------------------------------------------
_______________________________________________ sqlmap-users mailing list sqlmap-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/sqlmap-users
