On 1 October 2014 12:37, Miroslav Stampar
wrote:
> -u "www.target.com/vuln?string=the" --tamper=space2comment
>
> bye
>
> p.s. please don't use any SQLi inside provided parameter values
>
That fixed it, its been a while since I got SQLi on a job so was not
thinking properly.
Robin
> On Wed, O
-u "www.target.com/vuln?string=the" --tamper=space2comment
bye
p.s. please don't use any SQLi inside provided parameter values
On Wed, Oct 1, 2014 at 11:17 AM, Robin Wood wrote:
> It was pointed out that I should be URL encoding the *s which removes that
> as a problem but it still isn't quite
I've got the following vulnerable querystring value:
string=the%%22/**/and/**/1=1/**/and/**/%22%%22=%22
Where with 1=1 I get data back, 1=0 is false so no data.
I can't use spaces which is why I've have to go for /**/.
How do I tell sqlmap where the injection point is and to use /**/ instead
of
It was pointed out that I should be URL encoding the *s which removes that
as a problem but it still isn't quite working properly, probably because of
the spaces. Got limited time on this test so going to leave it for now and
will build a lab to look at it properly later.
Robin
On 1 October 2014
