I would like to test my website for SQL injection using sqlmap. I'm using mod_rewrite and my URL looks like this:
http://www.example.com/forum/&nav_page=1
(where nav_page is the parameter name and 1 is value)
The problem I'm having is that I can't find a way to tell sqlmap to perform the injection test just on the value.
The URL also not contain the ? sign because it's SEO friendly.
Your ideas of seo-frienliness are quite vague. It is not symbols that make an url look "seo-friendly". It's technology that doesn't involve parameter names and values.
So, you have to decide either you are using query string parameters or not.
If not - make your urls real seo-friendly. like http://www.example.com/forum/nav_page1/
If you still want to use query string variables - then use them properly, using ? mark to define a query string.
Related
I am load testing an application that has a link that looks like this:
https://example.com/myapp/table?qid=1434e99d-5b7c-4e74-b64e-c24e9564514d&rsid=5c94ddc7-e2e4-4e69-8547-49572486f4d1
I need to get the dynamic value of the rsid so I can use it later in my script.
So far I have tried using the regex extractor and I am probably doing it wrong.
I have tried things like:
name = myvar
regular expression = rsid=(.*?) # didnt work
regular expression = <a href=".*?rsid=(.*?)"> # didnt work
Template = $1$
I have one extractor set up to get the csrf value and that one works as expected but that is also because the csrf value is in the page source.
The above link is NOT in the page source as far as I can see but it DOES show up when I inspect the link. I dont know if that is obfuscation or something else?
How can I extract the value of the rsid? Is the regular expression extractor the right one to use for this?
Should I be using something else?
Is it just a formula issue?
Thanks in advance.
Try something like:
rsid=[0-9A-Fa-f\-]{36}
the above regular expression should match a GUID-like structure and your rsid seems to be an instance of it.
Demo:
Also be aware of the Boundary Extractor, it's sufficient to specify "left" and "right" boundaries and it will extract everything in-between. In general coming up with "boundaries" is much easier than creating a regular expression, it's more readable and JMeter processes the Boundary Extractors much faster. More information: The Boundary Extractor vs. the Regular Expression Extractor in JMeter
I'm getting the below error when I search on custom_field.
{"errorMessages":["Field \'customfield_10029\' does not exist or you do not have permission to view it."],"warningMessages":[]}
But I have enough permissions(Admin) to access that field. And also I enabled the field visible.
URL = 'https://xyz.atlassian.net/rest/api/2/search?jql=status="In+Progress"+and+customfield_10029=125&fields=id,key,status'
Custom fields in JQL searches are referenced using the abbreviation 'cf' followed by their ID inside square brackets '[id]', so your URL would be:
URL =
'https://xyz.atlassian.net/rest/api/2/search?jql=status="In+Progress"+and+cf[10029]=125&fields=id,key,status'
Make sure you properly encode the square brackets in UTF-8 format in your language's encoding method.
PS. Generally speaking, it's much easier to reference custom fields in JQL searches by their names, not their IDs. It makes the search URL easier to read and understand what is being searched for.
I get a 400 response code with customized field syntax:
https://domain/rest/api/2/search?maxResults=500&jql=cf[10025]='xxxxxxxxxd'&fields=id,key,issuetype,status,customfield_10025
I'm using ATK4.2.4, I've got a grid with a QuickSearch but it appears to be case-sensitive. However, looking at the example here: http://agiletoolkit.org/codepad/gui/grid it does not behave case-sensitive.
I've tried feeding my grid from a model and directly through setSource, no difference.
Any clues on which direction to look for the cause and/or how to fix it?
QuickSearch is case sensitive (class QuickSearch method PostInit).
But in case you use MySQL for your model, then MySQL itself ignores string case for LIKE statements if correctly configured.
See here: How can I search (case-insensitive) in a column using LIKE wildcard?
i've a problem with apache mod rewrite, I need to generate a SEF query with flexible parameters
example:
www.myname.com/category.php?p1=itemname&p2=categoryname&p3=color&p4=size
or
www.myname.com/category.php?p1=itemname&p3=color
or
www.myname.com/category.php?p3=color&p4=size
the combinations are always different.
how I can do it dynamically?
I started with:
RewriteRule ^search/([^/]+)-([^/]+)-([^/]+)$ category.php?p1=$1&p2=$2&p3=$3&p4=$4
Thank You!!
It's not possible to build a regexp that matches in the flexible way you want.
I see some alternatives:
You could assing a position to earch parameter in the url, something like:
http://www.myname.com/param1-param2-param3-param4
BUT in the absence of one of the parameters, the separator char should still apear in the url:
http://www.myname.com/--color-size
this, in my opinion the url is UGLY
You can evaluate the use of URL path params, take a look at what every developer should know about url encoding
with this alternative the url could be something like:
http://www.myname.com/item;name=xxx;category=yyy;color=zzz
I do not know how search engines would consider this urls, but I imagine that it's SEF.
Following conversion
SELECT to_tsvector('english', 'Google.com');
returns this:
'google.com':1
Why does TSearch2 engine didn't return something like this?
'google':2, 'com':1
Or how can i make the engine to return the exploded string as i wrote above?
I just need "Google.com" to be foundable by "google".
Unfortunately, there is no quick and easy solution.
Denis is correct in that the parser is recognizing it as a hostname, which is why it doesn't break it up.
There are 3 other things you can do, off the top of my head.
You can disable the host parsing in the database. See postgres documentation for details. E.g. something like ALTER TEXT SEARCH CONFIGURATION your_parser_config
DROP MAPPING FOR url, url_path
You can write your own custom dictionary.
You can pre-parse your data before it's inserted into the database in some manner (maybe splitting all domains before going into the database).
I had a similar issue to you last year and opted for solution (2), above.
My solution was to write a custom dictionary that splits words up on non-word characters. A custom dictionary is a lot easier & quicker to write than a new parser. You still have to write C tho :)
The dictionary I wrote would return something like 'www.facebook.com':4, 'com':3, 'facebook':2, 'www':1' for the 'www.facebook.com' domain (we had a unique-ish scenario, hence the 4 results instead of 3).
The trouble with a custom dictionary is that you will no longer get stemming (ie: www.books.com will come out as www, books and com). I believe there is some work (which may have been completed) to allow chaining of dictionaries which would solve this problem.
First off in case you're not aware, tsearch2 is deprecated in favor of the built-in functionality:
http://www.postgresql.org/docs/9/static/textsearch.html
As for your actual question, google.com gets recognized as a host by the parser:
http://www.postgresql.org/docs/9.0/static/textsearch-parsers.html
If you don't want this to occur, you'll need to pre-process your text accordingly (or use a custom parser).