Re: [sqlmap-users] sqlmap and Hacme Bank
Brought to you by:
inquisb
From: Bernardo D. A. G. <ber...@gm...> - 2009-06-24 12:06:25
|
Hi Richard, On Tue, Jun 23, 2009 at 21:02, Richard Jones<wp...@gm...> wrote: > ... > The strings that I have been trying to match are: > Not Injected Page: Message"></span> > True Injected Page: Message">Line 1: Incorrect syntax near 'asdf'.</span> > False Injected Page: Message">Invalid Login</span> > > My question is how is the "not injected" page detected? When watching the > output on level 5 verbosity, I see this request. I assume this is the > request to determine the "Not Injected" page? First of all, sqlmap has no good support for SQL injection in login forms yet. I have to refactor the engine to improve the comparison algorithm to make it properly detect injection points in login forms where, usually, the not injected (original) page differs from both True/False pages and the match is to be done on the True injected page only. I will be working on this in the long run. This said, if you are sure that the True injection page has only that string to match on, use --string "Line 1", but still, it won't work because at this time sqlmap needs to have the string also in the Not injected page. > ... > So, can I get sqlmap to detect the "Not Injected" page with a simple GET > request, but then perform the sql injection using POST requests? Or is > there something else that needs done? I tried changing --method to GET, as > well as removing --method, but the GET that is sent for the "Not Injected" > page still contains the POST data, which still results in "Invalid Login". Unfortunately not at this time. I will work on it as time permits. Thanks for reporting. Cheers, -- Bernardo Damele A. G. E-mail / Jabber: bernardo.damele (at) gmail.com Mobiles: +447788962949 (UK), +393493821385 (IT) PGP Key ID: 0x05F5A30F |