Stuck on an issue?
Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
Arbitrary injection point on POST data is not working
See original GitHub issueIf you use injection point (* or %INJECT HERE%) in a POST Data request with JSON (e.g. { "name" : "value*" }) sqlmap is actually URL encoding the special characters (e.g. %7B%20%22name%22%20%3A%20%22value%22%20%7D) before sending to the server.
I’ve noticed this problem because I’m intercepting all the sqlmap requests with a proxy.
Without SQLipy extension sqlmap do not perform the URL encoding.
Issue Analytics
- State:
- Created 6 years ago
- Comments:7 (2 by maintainers)
Top Results From Across the Web
Exploiting difficult SQL injection vulnerabilities using sqlmap
Sometimes of course the injection point is not within a parameter, in which case sqlmap has other options which can be used to...
Read more >How to prevent injection when user is supplying an arbitrary ...
I have spent a lot of time while looking for a solution for this. Everyone talks about different methods for stopping the injection...
Read more >5 ways to prevent code injection in JavaScript and Node.js
Learn some best practices for keeping your Node.js and JavaScript projects safe from code injection attacks.
Read more >How to use sqlmap for injection in address of a web site page ...
Arbitrary injection points. URI injection point. Sometimes the injection point is inside the URI itself. For example, if we go ...
Read more >CWE-94: Improper Control of Generation of Code ... - MITRE
Such an alteration could lead to arbitrary code execution. Injection problems encompass a wide variety of issues -- all mitigated in very different...
Read more >
Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free
Top Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
@riramar I’ve fixed this issue (not related to sqlmap’s #2568) here with latest commit (https://github.com/sqlmapproject/sqlmap/commit/7dbbf3ecf5f96ab7c6d77b72d8f4789a037af600)
Hmm, I will look into it. The sqlmap API server might be encoding the data and then passing it on to sqlmap that way. I don’t believe SQLiPy is encoding anything.