p0isonBR
commented
1 week ago Do not use --skip-urlencode in the GET method, this causes a malformed url as defined in rfc1738, because space as a unsafe character.
You can testing in curl:
$ curl 'https://httpbin.org/ headers'
curl: (3) URL rejected: Malformed input to a URL function
Hello,
I tested a symbol (') syntax error in the target www.example.com/id='. In the browser itself, I got no syntax error. However, when testing the same in Burp Suite, I received a syntax error, and the same occurred in the Python response.
Sqlmap cannot find the back-end DBMS unless I use --skip-urlencode, but that leads to the following message:
css Copy code It looks like the back-end DBMS is 'MySQL'. Do you want to skip test payloads specific for other DBMSes? [Y/n] y For the remaining tests, do you want to include all tests for 'MySQL', extending the provided level (1) and risk (1) values? [Y/n] y [18:20:44] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause' [18:20:44] [PAYLOAD] 11 [18:20:45] [PAYLOAD] 11) AND 6931=3971 AND (6919 BETWEEN 6919 AND 6919 [18:20:45] [CRITICAL] unable to connect to the target URL. Sqlmap is going to retry the request(s) Is there a parameter I should use for this case?
Sorry to bother you.
P.S.: Sqlmap didn’t find any WAF mechanisms.