Re: [sqlmap-users] sql injection doesn't works
Brought to you by:
inquisb
Menu
▾
▴
Re: [sqlmap-users] sql injection doesn't works
|
From: Bernardo D. A. G. <ber...@gm...> - 2009-03-26 00:41:18
|
Hi Alfonso,
Please, provide sqlmap with the --string option. Read the user's
manual for details.
Cheers,
Bernardo
On Sun, Mar 8, 2009 at 17:02, alfonso caponi <alf...@gm...> wrote:
> Hi list,
>
> I'm using sqlmap with a website created ad-hoc (Apache/2.2.9 (Ubuntu)
> PHP/5.2.6-2ubuntu4.1 with Suhosin-Patch, mysql Ver 14.12 Distrib 5.0.67,
> for debian-linux-gnu (i486) using readline 5.2).
>
> The simple and insecure php code:
>
> ...
> ...
> $query = "SELECT id from $db_table where username = '$username'";
> $result = mysql_query($query);
>
> while ($row = mysql_fetch_array($result)){
> print "$row[0]<br>";
> }
> ...
> ...
>
> the MySQL table:
>
> mysql> show columns from tbl_test;
> +----------+-------------+------+-----+---------+----------------+
> | Field | Type | Null | Key | Default | Extra |
> +----------+-------------+------+-----+---------+----------------+
> | id | int(10) | NO | PRI | NULL | auto_increment |
> | username | varchar(20) | NO | | NULL | |
> | password | varchar(20) | NO | | NULL | |
> +----------+-------------+------+-----+---------+----------------+
>
> get_magic_quotes_gpc = Off
>
> Now, I can do sql injection attack with ' or 1=1-'
>
> http://127.0.0.1/test/test_sql.php?username=username1%27%20or%201=1-%27
>
> but with sqlmap...
>
> ...
> ...
> [17:58:58] [WARNING] GET parameter 'username' is not injectable
>
> I've also tried with --prefix "'" --postfix "'OR 1=1--'" etc... but nothing.
>
> Any hints?
>
> Thank you,
> AL
>
>
> ------------------------------------------------------------------------------
> Open Source Business Conference (OSBC), March 24-25, 2009, San Francisco, CA
> -OSBC tackles the biggest issue in open source: Open Sourcing the Enterprise
> -Strategies to boost innovation and cut costs with open source participation
> -Receive a $600 discount off the registration fee with the source code: SFAD
> http://p.sf.net/sfu/XcvMzF8H
> _______________________________________________
> sqlmap-users mailing list
> sql...@li...
> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>
>
--
Bernardo Damele A. G.
E-mail / Jabber: bernardo.damele (at) gmail.com
Mobiles: +447788962949 (UK), +393493821385 (IT)
PGP Key ID: 0x05F5A30F
|
