Re: [sqlmap-users] Fwd: Fwd: sqlmap stop after testing User-Agent
Brought to you by:
inquisb
Menu
▾
▴
Re: [sqlmap-users] Fwd: Fwd: sqlmap stop after testing User-Agent
|
From: Adrien L. <lem...@gm...> - 2009-09-16 14:47:46
|
your exemple was user and password. I've looked into tamper data and have seen that variables were user and pass. So what do you think about it ? Thank you a lot for your help, Erik ! On Wed, Sep 16, 2009 at 2:10 PM, Erik Nilsson <da...@gm...> wrote: > This was just an example of variables to use. You have to identify the > variables by your own for each url. > A good tool for this is the "Tamper data" plug in for Firefox. > > > > > ---------- Forwarded message ---------- > From: Adrien LEMAIRE <lem...@gm...> > Date: Wed, Sep 16, 2009 at 1:52 PM > Subject: Re: [sqlmap-users] Fwd: sqlmap stop after testing User-Agent > To: Erik Nilsson <da...@gm...> > Cc: sql...@li... > > > Ok, I have already tried with --data option, but I've put > "user=user;pass=pass" instead of "user=user&pass=pass", mistake. > > So I've retried and the output is : > > > $ python sqlmap.py -u > http://invest.infomirmo.fr/webdesigner/connexion.php -v 1 > --data="user=user&pass=password" > > > > sqlmap/0.7 > > by Bernardo Damele A. G. <ber...@gm...> > > > > [*] starting at: 13:43:07 > > > > [13:43:07] [INFO] testing connection to the target url > > [13:43:07] [INFO] testing if the url is stable, wait a few seconds > > [13:43:08] [INFO] url is stable > > [13:43:08] [INFO] testing if POST parameter 'user' is dynamic > > [13:43:08] [WARNING] POST parameter 'user' is not dynamic > > [13:43:08] [INFO] testing if POST parameter 'pass' is dynamic > > [13:43:08] [WARNING] POST parameter 'pass' is not dynamic > > [13:43:08] [INFO] testing if User-Agent parameter 'User-Agent' is dynamic > > [13:43:08] [WARNING] User-Agent parameter 'User-Agent' is not dynamic > > > > [*] shutting down at: 13:43:08 > > > So I suppose that there is no injection vulnerability, and I should > use another tool ? > > > > > > > > On Wed, Sep 16, 2009 at 1:37 PM, Erik Nilsson <da...@gm...> wrote: > > > > You'll need to enter GET and/or POST values like > > > > sqlmap-0.7 $ python sqlmap.py -u > > http://invest.infomirmo.fr/webdesigner/connexion.php -v 1 > > --data="user=user&password=password" > > > > OR > > > > sqlmap-0.7 $ python sqlmap.py > > --url=" > http://invest.infomirmo.fr/webdesigner/connexion.php?user=user&data=data" > > > > ---------- Forwarded message ---------- > > From: Adrien LEMAIRE <lem...@gm...> > > Date: Wed, Sep 16, 2009 at 11:35 AM > > Subject: [sqlmap-users] sqlmap stop after testing User-Agent > > To: sql...@li... > > > > > > Hi everyone, > > > > I'm new to this list mail :) > > I want to learn how to use sqlmap. I've installed sqlmap on my ubuntu, > > and tried to launch it : > > > > > sqlmap-0.7 $ python sqlmap.py -u > http://invest.infomirmo.fr/webdesigner/connexion.php -v 1 > > > > > > sqlmap/0.7 > > > by Bernardo Damele A. G. <ber...@gm...> > > > > > > [*] starting at: 11:13:17 > > > > > > [11:13:17] [INFO] testing connection to the target url > > > [11:13:17] [INFO] testing if the url is stable, wait a few seconds > > > [11:13:19] [INFO] url is stable > > > [11:13:19] [INFO] testing if User-Agent parameter 'User-Agent' is > dynamic > > > [11:13:19] [WARNING] User-Agent parameter 'User-Agent' is not dynamic > > > > > > [*] shutting down at: 11:13:19 > > > > This website is a french site for hacking challenges, and I wanted to > > try if sqlmap couldn't bruteforce the login/password. > > But I thought that sqlmap will also test for GET, POST and Cookie > > before shutting down if nothing is dynamic. > > > > Reference to user manual : > > > > > > Let's say that you are auditing a web application and found a web page > that accepts dynamic user-provided values on GET or POST parameters or HTTP > Cookie values or HTTP User-Agent header value. > > > > > > Did I misunderstood something ? Do you think I forgot to configure > > something in sqlmap config files ? (I havn't modified any file yet). > > > > Thank you a lot for your answer, and sorry for disturb.. > > Best regards, > > Adrien Lemaire > > > > > ------------------------------------------------------------------------------ > > Come build with us! The BlackBerry® Developer Conference in SF, CA > > is the only developer event you need to attend this year. Jumpstart your > > developing skills, take BlackBerry mobile applications to market and stay > > ahead of the curve. Join us from November 9-12, 2009. Register > now! > > http://p.sf.net/sfu/devconf > > _______________________________________________ > > sqlmap-users mailing list > > sql...@li... > > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > > > > > ------------------------------------------------------------------------------ > > Come build with us! The BlackBerry® Developer Conference in SF, CA > > is the only developer event you need to attend this year. Jumpstart your > > developing skills, take BlackBerry mobile applications to market and stay > > ahead of the curve. Join us from November 9-12, 2009. Register > now! > > http://p.sf.net/sfu/devconf > > _______________________________________________ > > sqlmap-users mailing list > > sql...@li... > > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > > > ------------------------------------------------------------------------------ > Come build with us! The BlackBerry® Developer Conference in SF, CA > is the only developer event you need to attend this year. Jumpstart your > developing skills, take BlackBerry mobile applications to market and stay > ahead of the curve. Join us from November 9-12, 2009. Register now! > http://p.sf.net/sfu/devconf > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > |
