New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
log should contain the URI and when it's a POST should contain the POST body #286
Comments
Which log are you referring to? Log file, traffic file, verbose output (-v..)? |
The file I'm talking about is output/WEBAPP/log. On Thu, Dec 6, 2012 at 9:56 AM, Miroslav Stampar
|
You can get that same data inside traffic file or with high verbose level (e.g. |
Not a bad idea, to add to the log file the raw request at the beginning. Although, a user having used sqlmap to detect and exploit the SQLi knows what the request is when he provides it with |
You can get all this with |
Also, inside log file we write any injection point found by the way. Including whole request would just put a more mess inside. |
In my opinion this introduces no mess in my opinion if we add it once only. |
Because of the workflow how we use log file we can't put request just once. We have to put it every single time injection point is found. Also, as with |
IMO, it should include each unique URI... For a single URI with multiple parameters that could be written just once... On Thu, Dec 6, 2012 at 10:08 AM, Miroslav Stampar
|
could anybody pinpoint to me where to put URI inside this: http://pastebin.com/YL3zqPGJ we use |
p.s. have you noticed that there is a file (inside that same folder) named |
Yes, but it only includes a single target since sqlmap doesnt append data On Thu, Dec 6, 2012 at 10:21 AM, Miroslav Stampar
|
And what's wrong with good old |
-t traffic.txt has all of the data for all requests. I'm just looking for On Thu, Dec 6, 2012 at 10:27 AM, Miroslav Stampar
|
And inside |
It doesn't have the full location to verify it manually. On Thu, Dec 6, 2012 at 10:33 AM, Miroslav Stampar
|
p.s. so you want complete URI and POST body inside |
I'll upgrade target.txt file to contain that information (POST data if used
|
Thanks. On Thu, Dec 6, 2012 at 10:55 AM, Miroslav Stampar
|
Obviously, I'm a bit late, but in my opinion, the log, target and the traffic files are more than enough. Also, if you are doing a pentest (that's what sqlmap is meant for, AFAIK), you would capture the entire traffic anyway, and it is trivial to extract the requests from the dump if you cannot find them in the above mentioned files. |
Now inside the corresponding A) in case of
A) in case of
|
The log output doesn't contain enough information to verify the SQL injection manually.
It should be enough to be repeatable using manual techniques.
The text was updated successfully, but these errors were encountered: