[sqlmap-users] Parameter "is not dynamic"
Brought to you by:
inquisb
Menu
▾
▴
[sqlmap-users] Parameter "is not dynamic"
|
From: Roman Medina-H. H. <ro...@rs...> - 2009-01-22 15:44:24
|
Hello, I'm trying sqlmap (latest windows exe) against a vulnerable site and I always get sqlmap telling that the parameter is not dynamic (then sqlmap is terminated). Could you explain how does this logic (the dynamic test) work? The page in question is a user/password form, sent via POST method, where only the user parameter (called "txtUsuario") is injectable. I manually checked it and: - if an arbitrary user is entered, I get a 200 response with "Incorrect user" message. - if I enter a "'" char, I get a 500 response and an error message from the database :) - if I enter the typical "aaa' or ''='" (which is evaluated to TRUE), I get a 200 response, this time with "Incorrect password" (so user test is passed!!!). Former tests show that it is clearly vulnerable to (blind) sql injection, but I didn't get it to exploit with sqlmap.... This is what I'm using and the faulty results: C:\SQLMAP~1.3_E>sqlmap -v 2 -u "https://www.victim.com:4 43/LoginAction.do" --method POST --data "txtUsuario=a&txtPwd=a&Submit=ace ptar" -p "txtUsuario" sqlmap/0.6.3 coded by Bernardo Damele A. G. <ber...@gm...> and Daniele Bellucci <dan...@gm...> [*] starting at: 16:20:16 [16:20:16] [DEBUG] initializing the configuration [16:20:16] [DEBUG] initializing the knowledge base [16:20:16] [DEBUG] cleaning up configuration parameters [16:20:16] [DEBUG] setting the HTTP method to POST [16:20:16] [DEBUG] creating HTTP requests opener object [16:20:16] [DEBUG] parsing XML queries file [16:20:16] [INFO] testing connection to the target url [16:20:18] [WARNING] the testable parameter 'txtUsuario' you provided is not int o the Cookie [16:20:18] [INFO] testing if the url is stable, wait a few seconds [16:20:23] [INFO] url is stable [16:20:23] [INFO] testing if POST parameter 'txtUsuario' is dynamic [16:20:24] [WARNING] POST parameter 'txtUsuario' is not dynamic [*] shutting down at: 16:20:24 C:\SQLMAP~1.3_E> I've sniffed the requests sent by sqlmap and it sent the following 5 requests: txtUsuario=a&txtPwd=a&Submit=aceptar txtUsuario=a&txtPwd=a&Submit=aceptar txtUsuario=a&txtPwd=a&Submit=aceptar txtUsuario=a&txtPwd=a&Submit=aceptar txtUsuario=9378&txtPwd=a&Submit=aceptar I guess the first requests are tests for stability (that's ok), and the last one is for "dynamic"-test. Since both "a" and "9378" values return the same response (code 200, with string "Incorrect user"), it believes the parameter is not dynamic (I guess). But this logic is non-sense: why is sqlmap checking for 9378? Why did't it try with a "'"? Is there any way to disable this "dynamic test"? I also tried with --string, with no luck. Could you help me, please? Which exact command line would you enter in my scenario? Thank you. Cheers, -Roman |
