I am magically unable to reproduce this at the moment. If I end up seeing the behavior again, I will get more information to reproduce with.
However, I did realize that I no longer actually need —skip-urlencode. At some point between when I last touched this code and now, POST request bodies are no longer URL encoded. In any case, sorry for the noise. > On Oct 19, 2015, at 12:08 PM, Miroslav Stampar <miroslav.stam...@gmail.com> > wrote: > > Either through request file or headers. Otherwise, sqlmap automatically sets > it based on recognized type (e.g. application/json for JSON) > > Bye > > On Oct 19, 2015 7:05 PM, "Brandon Perry" <bperry.volat...@gmail.com > <mailto:bperry.volat...@gmail.com>> wrote: > Just curious, how do you expect a user to set a specific content type? Is > there are argument I am missing, or is --headers the expected way? > > On Mon, Oct 19, 2015 at 9:41 AM, Miroslav Stampar <miroslav.stam...@gmail.com > <mailto:miroslav.stam...@gmail.com>> wrote: > I really can't enforce this behavior. Waiting for your sample. > > Bye > > On Mon, Oct 19, 2015 at 4:04 PM, Brandon Perry <bperry.volat...@gmail.com > <mailto:bperry.volat...@gmail.com>> wrote: > Yes, I can, but it will have to be when I get home this evening. > > FWIW, I am interacting with the sqlmap API, so not passing it a request file. > I am building the SOAP XML programmatically, then setting it as the 'data' in > the options (along with headers to specify text/xml and SOAPAction), with > skipUrlEncode. > > On Mon, Oct 19, 2015 at 9:02 AM, Miroslav Stampar <miroslav.stam...@gmail.com > <mailto:miroslav.stam...@gmail.com>> wrote: > Hi. > > But sqlmap should automatically skip the url encoding of such request bodies > if the content-type has been set to the proper value from start (or if there > was no content-type from the beginning). > > Can you please send a sample request file and/or used sqlmap options. > > Bye > > On Mon, Oct 19, 2015 at 4:00 PM, Brandon Perry <bperry.volat...@gmail.com > <mailto:bperry.volat...@gmail.com>> wrote: > The actual request is a SOAP payload, which requires a content type of XML, > and no URL encoding (which, if performed, returns a 50x). > > On Mon, Oct 19, 2015 at 6:37 AM, Miroslav Stampar <miroslav.stam...@gmail.com > <mailto:miroslav.stam...@gmail.com>> wrote: > Hi Brandon. > > Sorry for late reply. It goes like this. > > Your header value for content-type should be propagated/used, even in this > case, in all cases THAN one. > > If you use --skip-urlencode and you (or your request file) state that the > content-type should be "urlencoded" sqlmap forces switch to either the > "recognized" (e.g. json, xml,...) or the "plain". So, that line that you've > pinpointed will be triggered only in described situation. > > Can you please describe what are you trying to accomplish? I believe that you > are trying to leave some parts (non-payload) url encoded, while you want > payload to not be url encoded. > > Bye > > On Sun, Oct 18, 2015 at 11:35 AM, Miroslav Stampar > <miroslav.stam...@gmail.com <mailto:miroslav.stam...@gmail.com>> wrote: > Will patch it later today. > > Bye > > On Oct 17, 2015 04:32, "Brandon Perry" <bperry.volat...@gmail.com > <mailto:bperry.volat...@gmail.com>> wrote: > I tracked it down to ./lib/request/connect.py, line 726. > > contentType = POST_HINT_CONTENT_TYPES.get(kb.postHint, > PLAIN_TEXT_CONTENT_TYPE) > > I am specifying a content type explicitly with —headers, so commenting this > line out allowed sqlmap to detect the injections (the server returns 50x if > the content type isn't right). > > Not sure what the correct solution is to this, as I understand the intent. > Would this be more useful as a github issue? > ------------------------------------------------------------------------------ > _______________________________________________ > sqlmap-users mailing list > sqlmap-users@lists.sourceforge.net <mailto:sqlmap-users@lists.sourceforge.net> > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > <https://lists.sourceforge.net/lists/listinfo/sqlmap-users> > > > > -- > Miroslav Stampar > http://about.me/stamparm <http://about.me/stamparm> > > > -- > http://volatile-minds.blogspot.com <http://volatile-minds.blogspot.com/> -- > blog > http://www.volatileminds.net <http://www.volatileminds.net/> -- website > > > > -- > Miroslav Stampar > http://about.me/stamparm <http://about.me/stamparm> > > > -- > http://volatile-minds.blogspot.com <http://volatile-minds.blogspot.com/> -- > blog > http://www.volatileminds.net <http://www.volatileminds.net/> -- website > > > > -- > Miroslav Stampar > http://about.me/stamparm <http://about.me/stamparm> > > > -- > http://volatile-minds.blogspot.com <http://volatile-minds.blogspot.com/> -- > blog > http://www.volatileminds.net <http://www.volatileminds.net/> -- website
------------------------------------------------------------------------------
_______________________________________________ sqlmap-users mailing list sqlmap-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/sqlmap-users
