Re: [sqlmap-users] Basic injection not working... Help.
Brought to you by:
inquisb
From: Patrick W. <pa...@au...> - 2009-09-17 16:08:05
|
It is probably not a good idea to attack http://www.siig.fr -Patrick On Fri, Sep 18, 2009 at 2:04 AM, Tristan Foureur <tri...@gm...>wrote: > Hello, > > I don't know why but a really really basic injection is not detected. The > URL is like www.host.com?news_id=270&zone_id=4<http://www.host.com/?news_id=270&zone_id=4>and when I'm doing > > www.host.com?news_id=270&zone_id=4<http://www.host.com/?news_id=270&zone_id=4>OR 1 it displays every news, when I'm doing news_id=270 AND 0 it displays no > news. When I'm doing news_id=270 THISISATEST it displays a mysql error. > > So it's definitely injectable and that's not a "rare" type of injection. > > Now I would like to learn to use sqlmap to find these injections and how to > use it but when I'm doing this : > > sqlmap.exe -u "http://www.siig.fr/fr/consnews2.php?news_id=270&zone_id=4" > -v 1 > > It says that both news_id and zone_id aren't injectables ! I tried using > the -p parameter like that : -p zone_id but it doesn't change anything. > > I don't think that sqlmap can't detect such basic injections, so could you > tell me what is the proper parameters to detect something simple like that, > and then how to exploit it ? > > Thanks :) > > > ------------------------------------------------------------------------------ > Come build with us! The BlackBerry® Developer Conference in SF, CA > is the only developer event you need to attend this year. Jumpstart your > developing skills, take BlackBerry mobile applications to market and stay > ahead of the curve. Join us from November 9-12, 2009. Register now! > http://p.sf.net/sfu/devconf > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > > |