[sqlmap-users] Fwd: Fwd: sqlmap stop after testing User-Agent
Brought to you by:
inquisb
From: Erik N. <da...@gm...> - 2009-09-16 12:10:44
|
This was just an example of variables to use. You have to identify the variables by your own for each url. A good tool for this is the "Tamper data" plug in for Firefox. ---------- Forwarded message ---------- From: Adrien LEMAIRE <lem...@gm...> Date: Wed, Sep 16, 2009 at 1:52 PM Subject: Re: [sqlmap-users] Fwd: sqlmap stop after testing User-Agent To: Erik Nilsson <da...@gm...> Cc: sql...@li... Ok, I have already tried with --data option, but I've put "user=user;pass=pass" instead of "user=user&pass=pass", mistake. So I've retried and the output is : > $ python sqlmap.py -u http://invest.infomirmo.fr/webdesigner/connexion.php -v 1 --data="user=user&pass=password" > > sqlmap/0.7 > by Bernardo Damele A. G. <ber...@gm...> > > [*] starting at: 13:43:07 > > [13:43:07] [INFO] testing connection to the target url > [13:43:07] [INFO] testing if the url is stable, wait a few seconds > [13:43:08] [INFO] url is stable > [13:43:08] [INFO] testing if POST parameter 'user' is dynamic > [13:43:08] [WARNING] POST parameter 'user' is not dynamic > [13:43:08] [INFO] testing if POST parameter 'pass' is dynamic > [13:43:08] [WARNING] POST parameter 'pass' is not dynamic > [13:43:08] [INFO] testing if User-Agent parameter 'User-Agent' is dynamic > [13:43:08] [WARNING] User-Agent parameter 'User-Agent' is not dynamic > > [*] shutting down at: 13:43:08 So I suppose that there is no injection vulnerability, and I should use another tool ? On Wed, Sep 16, 2009 at 1:37 PM, Erik Nilsson <da...@gm...> wrote: > > You'll need to enter GET and/or POST values like > > sqlmap-0.7 $ python sqlmap.py -u > http://invest.infomirmo.fr/webdesigner/connexion.php -v 1 > --data="user=user&password=password" > > OR > > sqlmap-0.7 $ python sqlmap.py > --url="http://invest.infomirmo.fr/webdesigner/connexion.php?user=user&data=data" > > ---------- Forwarded message ---------- > From: Adrien LEMAIRE <lem...@gm...> > Date: Wed, Sep 16, 2009 at 11:35 AM > Subject: [sqlmap-users] sqlmap stop after testing User-Agent > To: sql...@li... > > > Hi everyone, > > I'm new to this list mail :) > I want to learn how to use sqlmap. I've installed sqlmap on my ubuntu, > and tried to launch it : > > > sqlmap-0.7 $ python sqlmap.py -u http://invest.infomirmo.fr/webdesigner/connexion.php -v 1 > > > > sqlmap/0.7 > > by Bernardo Damele A. G. <ber...@gm...> > > > > [*] starting at: 11:13:17 > > > > [11:13:17] [INFO] testing connection to the target url > > [11:13:17] [INFO] testing if the url is stable, wait a few seconds > > [11:13:19] [INFO] url is stable > > [11:13:19] [INFO] testing if User-Agent parameter 'User-Agent' is dynamic > > [11:13:19] [WARNING] User-Agent parameter 'User-Agent' is not dynamic > > > > [*] shutting down at: 11:13:19 > > This website is a french site for hacking challenges, and I wanted to > try if sqlmap couldn't bruteforce the login/password. > But I thought that sqlmap will also test for GET, POST and Cookie > before shutting down if nothing is dynamic. > > Reference to user manual : > > > > Let's say that you are auditing a web application and found a web page that accepts dynamic user-provided values on GET or POST parameters or HTTP Cookie values or HTTP User-Agent header value. > > > Did I misunderstood something ? Do you think I forgot to configure > something in sqlmap config files ? (I havn't modified any file yet). > > Thank you a lot for your answer, and sorry for disturb.. > Best regards, > Adrien Lemaire > > ------------------------------------------------------------------------------ > Come build with us! The BlackBerry® Developer Conference in SF, CA > is the only developer event you need to attend this year. Jumpstart your > developing skills, take BlackBerry mobile applications to market and stay > ahead of the curve. Join us from November 9-12, 2009. Register now! > http://p.sf.net/sfu/devconf > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > > ------------------------------------------------------------------------------ > Come build with us! The BlackBerry® Developer Conference in SF, CA > is the only developer event you need to attend this year. Jumpstart your > developing skills, take BlackBerry mobile applications to market and stay > ahead of the curve. Join us from November 9-12, 2009. Register now! > http://p.sf.net/sfu/devconf > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users |