You can take a look into xml/payloads/*.xml and xml/boundaries.xml for
testing phase payloads
You can take a look into lib/controller/checks.py for testing phase
generation of payloads
You can take a look into xml/boundaries.xml and xml/queries.xml for
exploitation phase payloads
You can take a look into plugins/*.py and lib/core/agent.py for
exploitation phase payloads
Bye
p.s. each DBMS has its own payloads. Practically, two same MySQL platforms
(with same vulnerability) should generate pretty similar payloads. But, if
one MySQL platform is vulnerable to boolean SQLi and the other to UNION
SQLi you can't expect same payloads
On Wed, Jan 20, 2016 at 2:33 PM, Mithun Vaidhyanathan <
mithun.vaidhyanat...@owasp.org> wrote:
> Hi Miroslav,
>
> The situation is that I can't rerun or hit the system again for a couple
> of days due to a business issue. In the meanwhile, I need to extract all
> payloads injected from the scan that I already ran today. If I cannot see
> payloads from the exploit phase, can you please point me to the logic in
> the code where these payloads are generated? I saw a few xml files under
> the payloads folder, and along with these xml files and the code, I can try
> to reverse engineer and probably regenerate those payloads again. I am
> assuming that the same payloads are generated in every scan for a given
> database type (say Oracle)?
>
> Thanks,
> Mithun
> On Jan 20, 2016 6:19 PM, "Miroslav Stampar" <miroslav.stam...@gmail.com>
> wrote:
>
>> You can see all testing payloads by rerunning with -v 3.
>>
>> You can't see payloads that sqlmap generated during the exploitation
>> phase. Results of those payloads are stored inside the appropriate
>> session.sqlite, but with hashed queries/payloads. Without doing this
>> session files would explode in case of huge table dumps.
>>
>> Bye
>>
>> On Wed, Jan 20, 2016 at 1:04 PM, Mithun Vaidhyanathan <
>> mithun.vaidhyanat...@owasp.org> wrote:
>>
>>> Hello Everyone,
>>>
>>> I need to retrieve all payloads inserted by SQLMap into vulnerable
>>> parameters. Is it possible?
>>>
>>> Right now, in my output directory, I can see a log file with only one
>>> payload example. Does the tool store all payloads that it injects? How can
>>> I pull out this information?
>>>
>>> Thanks,
>>> Mithun
>>>
>>>
>>> ------------------------------------------------------------------------------
>>> Site24x7 APM Insight: Get Deep Visibility into Application Performance
>>> APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
>>> Monitor end-to-end web transactions and take corrective actions now
>>> Troubleshoot faster and improve end-user experience. Signup Now!
>>> http://pubads.g.doubleclick.net/gampad/clk?id=267308311&iu=/4140
>>> _______________________________________________
>>> sqlmap-users mailing list
>>> sqlmap-users@lists.sourceforge.net
>>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>>>
>>>
>>
>>
>> --
>> Miroslav Stampar
>> http://about.me/stamparm
>>
>
--
Miroslav Stampar
http://about.me/stamparm
------------------------------------------------------------------------------
Site24x7 APM Insight: Get Deep Visibility into Application Performance
APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
Monitor end-to-end web transactions and take corrective actions now
Troubleshoot faster and improve end-user experience. Signup Now!
http://pubads.g.doubleclick.net/gampad/clk?id=267308311&iu=/4140
_______________________________________________
sqlmap-users mailing list
sqlmap-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/sqlmap-users
