Whether tamper can add a parameter to get prefix and suffix #4973
Comments
|
Oh, I almost forgot, I also found a problem, I don't know if it is a bug, when using DNS tunnel mode, namely --dns-domain, I found that SQLMap will discard suffix, Please check it and tell me the answer. Thank you for your trouble~ |
|
sorry to inform you, but there is no way how to do it (in easy way). adding prefix/suffix is being done long before it could be available to tamper mechanism for example, in https://github.com/sqlmapproject/sqlmap/blob/master/lib/techniques/blind/inference.py#L606-L608 those are being set in case of boolean-based blind SQLi, while tampering is called inside that |
You don't have to be sorry, I like the tool you wrote and it helped me a lot, but my English is not very good, I hope you can understand what I wrote. The function of getting --suffix and --prefix entered by the user on the command line in tamper, by reading your code, I can already achieve it. I hope I can take a look at the suspected bug I mentioned above. I also used -v 4 to check the final payload sent. Indeed, in dns tunnel mode, suffix will be discarded. Happy New Year to you |
|
@HangZhouCat did you manage to add this to a branch? I think that I am also after a similar feature. I would describe it as dynamic parameters which are based upon the payload and or other components of the final URL. In my context I am doing it manually right now to bypass URL tampering hashes - however I think it would be a nice feature for sqlmap. |
I have read some documents of Tamper and the official example tamper, but I haven't found a place where I can get the suffix and prefix, and the tamper I wrote needs to use suffix and prefix. I wonder whether this function has been implemented. If so, please tell me. If not, could you consider adding this feature?
The text was updated successfully, but these errors were encountered: