Re: [sqlmap-users] Parameter "is not dynamic"
Brought to you by:
inquisb
Menu
▾
▴
Re: [sqlmap-users] Parameter "is not dynamic"
|
From: Roman Medina-H. H. <ro...@rs...> - 2009-01-28 19:23:05
|
Please, Bernardo, some comments about this? Thank you. -r Roman Medina-Heigl Hernandez escribió: > Hello, > > I'm trying sqlmap (latest windows exe) against a vulnerable site and I > always get sqlmap telling that the parameter is not dynamic (then sqlmap is > terminated). Could you explain how does this logic (the dynamic test) work? > > The page in question is a user/password form, sent via POST method, where > only the user parameter (called "txtUsuario") is injectable. I manually > checked it and: > - if an arbitrary user is entered, I get a 200 response with "Incorrect > user" message. > - if I enter a "'" char, I get a 500 response and an error message from the > database :) > - if I enter the typical "aaa' or ''='" (which is evaluated to TRUE), I get > a 200 response, this time with "Incorrect password" (so user test is > passed!!!). > > Former tests show that it is clearly vulnerable to (blind) sql injection, > but I didn't get it to exploit with sqlmap.... > > This is what I'm using and the faulty results: > > C:\SQLMAP~1.3_E>sqlmap -v 2 -u "https://www.victim.com:4 > 43/LoginAction.do" --method POST --data "txtUsuario=a&txtPwd=a&Submit=ace > ptar" -p "txtUsuario" > > sqlmap/0.6.3 coded by Bernardo Damele A. G. <ber...@gm...> > and Daniele Bellucci <dan...@gm...> > > [*] starting at: 16:20:16 > > [16:20:16] [DEBUG] initializing the configuration > [16:20:16] [DEBUG] initializing the knowledge base > [16:20:16] [DEBUG] cleaning up configuration parameters > [16:20:16] [DEBUG] setting the HTTP method to POST > [16:20:16] [DEBUG] creating HTTP requests opener object > [16:20:16] [DEBUG] parsing XML queries file > [16:20:16] [INFO] testing connection to the target url > [16:20:18] [WARNING] the testable parameter 'txtUsuario' you provided is > not int > o the Cookie > [16:20:18] [INFO] testing if the url is stable, wait a few seconds > [16:20:23] [INFO] url is stable > [16:20:23] [INFO] testing if POST parameter 'txtUsuario' is dynamic > [16:20:24] [WARNING] POST parameter 'txtUsuario' is not dynamic > > [*] shutting down at: 16:20:24 > > > C:\SQLMAP~1.3_E> > > > I've sniffed the requests sent by sqlmap and it sent the following 5 requests: > txtUsuario=a&txtPwd=a&Submit=aceptar > txtUsuario=a&txtPwd=a&Submit=aceptar > txtUsuario=a&txtPwd=a&Submit=aceptar > txtUsuario=a&txtPwd=a&Submit=aceptar > txtUsuario=9378&txtPwd=a&Submit=aceptar > > I guess the first requests are tests for stability (that's ok), and the > last one is for "dynamic"-test. Since both "a" and "9378" values return the > same response (code 200, with string "Incorrect user"), it believes the > parameter is not dynamic (I guess). But this logic is non-sense: why is > sqlmap checking for 9378? Why did't it try with a "'"? Is there any way to > disable this "dynamic test"? > > I also tried with --string, with no luck. Could you help me, please? Which > exact command line would you enter in my scenario? > > Thank you. > > Cheers, > -Roman > > ------------------------------------------------------------------------------ > This SF.net email is sponsored by: > SourcForge Community > SourceForge wants to tell your story. > http://p.sf.net/sfu/sf-spreadtheword > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users -- Saludos, -Roman PGP Fingerprint: 09BB EFCD 21ED 4E79 25FB 29E1 E47F 8A7D EAD5 6742 [Key ID: 0xEAD56742. Available at KeyServ] |
