Parameter support issues.

[sectroyer]

SSTImap lacks '-p' (or equivalent) switch for specifying injection parameter.

Also it would be nice to have some improvement in case of multiple parameters like here:

[*] Javascript plugin is testing rendering with tag '*'
[*] Javascript plugin is testing ;*// code context escape with 6 variations
[*] Javascript plugin is testing blind injection
[*] Javascript plugin is testing ;*// code context escape with 6 variations
[*] Testing if POST parameter 'csrf' is injectable
[*] Ejs plugin is testing rendering with tag '*'
[*] Ejs plugin is testing %>*<%# code context escape with 6 variations
[*] Ejs plugin is testing blind injection
[*] Ejs plugin is testing %>*<%# code context escape with 6 variations
[*] Freemarker plugin is testing rendering with tag '*'
[*] Freemarker plugin is testing }* code context escape with 6 va

It's hard to find a line where it switches to new parameter. Even change to something like this would help a lot:

[*] Javascript plugin is testing rendering with tag '*'
[*] Javascript plugin is testing ;*// code context escape with 6 variations
[*] Javascript plugin is testing blind injection
[*] Javascript plugin is testing ;*// code context escape with 6 variations

[*] Testing if POST parameter 'csrf' is injectable
[*] Ejs plugin is testing rendering with tag '*'
[*] Ejs plugin is testing %>*<%# code context escape with 6 variations
[*] Ejs plugin is testing blind injection
[*] Ejs plugin is testing %>*<%# code context escape with 6 variations
[*] Freemarker plugin is testing rendering with tag '*'
[*] Freemarker plugin is testing }* code context escape with 6 va

Maybe even a different color of the "Testing..." line...

[vladko312]

I will probably change the color. Also, have you set an injection marker (*) as a parameter you need?

[sectroyer]

Nope I didn't. It wasn't clear for me if it works or not :)

[vladko312]

I made URL/form and parameter changing stand out a bit more.

Can you verify?

As for marker usage, it requires some documentation, so the issue will remain open for now.

[sectroyer]

Yes this green color looks much better 👍

[vladko312]

Thank you for your feedback! I will close this issue after creating some documentation.

[sectroyer]

After some more testing I have noticed one issue with current logging:
[*] Testing if POST parameter 'TEST' is injectable
Since it's in green and ends with "parameter XYZ is injectable" it often confuses me. Tough I know the tool and notice it after a second. Still I think something like this:
[*] Testing injection on POST parameter 'TEST'
Especially since sqlmap logs "... is injectable" so that's probably why it confuses me 😄

[vladko312]

Maybe, I will change the colour to yellow and change the text as well

[vladko312]

Should be more clear in 1.2.0
Can you verify?