I am magically unable to reproduce this at the moment.

If I end up seeing the behavior again, I will get more information to reproduce 
with.

However, I did realize that I no longer actually need —skip-urlencode. At some 
point between when I last touched this code and now, POST request bodies are no 
longer URL encoded.

In any case, sorry for the noise.


> On Oct 19, 2015, at 12:08 PM, Miroslav Stampar <miroslav.stam...@gmail.com> 
> wrote:
> 
> Either through request file or headers. Otherwise, sqlmap automatically sets 
> it based on recognized type (e.g. application/json for JSON)
> 
> Bye
> 
> On Oct 19, 2015 7:05 PM, "Brandon Perry" <bperry.volat...@gmail.com 
> <mailto:bperry.volat...@gmail.com>> wrote:
> Just curious, how do you expect a user to set a specific content type? Is 
> there are argument I am missing, or is --headers the expected way?
> 
> On Mon, Oct 19, 2015 at 9:41 AM, Miroslav Stampar <miroslav.stam...@gmail.com 
> <mailto:miroslav.stam...@gmail.com>> wrote:
> I really can't enforce this behavior. Waiting for your sample.
> 
> Bye
> 
> On Mon, Oct 19, 2015 at 4:04 PM, Brandon Perry <bperry.volat...@gmail.com 
> <mailto:bperry.volat...@gmail.com>> wrote:
> Yes, I can, but it will have to be when I get home this evening.
> 
> FWIW, I am interacting with the sqlmap API, so not passing it a request file. 
> I am building the SOAP XML programmatically, then setting it as the 'data' in 
> the options (along with headers to specify text/xml and SOAPAction), with 
> skipUrlEncode.
> 
> On Mon, Oct 19, 2015 at 9:02 AM, Miroslav Stampar <miroslav.stam...@gmail.com 
> <mailto:miroslav.stam...@gmail.com>> wrote:
> Hi.
> 
> But sqlmap should automatically skip the url encoding of such request bodies 
> if the content-type has been set to the proper value from start (or if there 
> was no content-type from the beginning).
> 
> Can you please send a sample request file and/or used sqlmap options.
> 
> Bye
> 
> On Mon, Oct 19, 2015 at 4:00 PM, Brandon Perry <bperry.volat...@gmail.com 
> <mailto:bperry.volat...@gmail.com>> wrote:
> The actual request is a SOAP payload, which requires a content type of XML, 
> and no URL encoding (which, if performed, returns a 50x).
> 
> On Mon, Oct 19, 2015 at 6:37 AM, Miroslav Stampar <miroslav.stam...@gmail.com 
> <mailto:miroslav.stam...@gmail.com>> wrote:
> Hi Brandon.
> 
> Sorry for late reply. It goes like this.
> 
> Your header value for content-type should be propagated/used, even in this 
> case, in all cases THAN one.
> 
> If you use --skip-urlencode and you (or your request file) state that the 
> content-type should be "urlencoded" sqlmap forces switch to either the 
> "recognized" (e.g. json, xml,...) or the "plain". So, that line that you've 
> pinpointed will be triggered only in described situation.
> 
> Can you please describe what are you trying to accomplish? I believe that you 
> are trying to leave some parts (non-payload) url encoded, while you want 
> payload to not be url encoded.
> 
> Bye
> 
> On Sun, Oct 18, 2015 at 11:35 AM, Miroslav Stampar 
> <miroslav.stam...@gmail.com <mailto:miroslav.stam...@gmail.com>> wrote:
> Will patch it later today.
> 
> Bye
> 
> On Oct 17, 2015 04:32, "Brandon Perry" <bperry.volat...@gmail.com 
> <mailto:bperry.volat...@gmail.com>> wrote:
> I tracked it down to ./lib/request/connect.py, line 726.
> 
> contentType = POST_HINT_CONTENT_TYPES.get(kb.postHint, 
> PLAIN_TEXT_CONTENT_TYPE)
> 
> I am specifying a content type explicitly with —headers, so commenting this 
> line out allowed sqlmap to detect the injections (the server returns 50x if 
> the content type isn't right).
> 
> Not sure what the correct solution is to this, as I understand the intent. 
> Would this be more useful as a github issue?
> ------------------------------------------------------------------------------
> _______________________________________________
> sqlmap-users mailing list
> sqlmap-users@lists.sourceforge.net <mailto:sqlmap-users@lists.sourceforge.net>
> https://lists.sourceforge.net/lists/listinfo/sqlmap-users 
> <https://lists.sourceforge.net/lists/listinfo/sqlmap-users>
> 
> 
> 
> -- 
> Miroslav Stampar
> http://about.me/stamparm <http://about.me/stamparm>
> 
> 
> -- 
> http://volatile-minds.blogspot.com <http://volatile-minds.blogspot.com/> -- 
> blog
> http://www.volatileminds.net <http://www.volatileminds.net/> -- website
> 
> 
> 
> -- 
> Miroslav Stampar
> http://about.me/stamparm <http://about.me/stamparm>
> 
> 
> -- 
> http://volatile-minds.blogspot.com <http://volatile-minds.blogspot.com/> -- 
> blog
> http://www.volatileminds.net <http://www.volatileminds.net/> -- website
> 
> 
> 
> -- 
> Miroslav Stampar
> http://about.me/stamparm <http://about.me/stamparm>
> 
> 
> -- 
> http://volatile-minds.blogspot.com <http://volatile-minds.blogspot.com/> -- 
> blog
> http://www.volatileminds.net <http://www.volatileminds.net/> -- website

------------------------------------------------------------------------------
_______________________________________________
sqlmap-users mailing list
sqlmap-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/sqlmap-users

Reply via email to