Re: [sqlmap-users] Fwd: Fwd: sqlmap stop after testing User-Agent
Brought to you by:
inquisb
From: Kyle A. <ky...@xk...> - 2009-09-17 16:18:35
|
I don't really want to spoil this challenge for you, I enjoy hackthissite.org and I hate spoilers. But the URL you are attacking is incorrect, connexion.php doesn't accept post data at all. Look carefully at the source. Also look again at the variables you are passing, one of them is not correct. Also, this tool may not work on a hacking site, if it is anything like hackthissite.org. The reason is that for safety purposes, the site may be hardcoded to only accept the official "response" and won't respond like a normal php/mysql site. Does this make any sense? In other words, the php page may just be parsing for correct looking responses, not really a database behind it? I tried injecting it with the correct url and correct variables and it didn't respond, I don't believe that a real mysql server is behind it. Kyle On 9/16/09, Adrien LEMAIRE <lem...@gm...> wrote: > your exemple was user and password. I've looked into tamper data and have > seen that variables were user and pass. So what do you think about it ? > > Thank you a lot for your help, Erik ! > > On Wed, Sep 16, 2009 at 2:10 PM, Erik Nilsson <da...@gm...> wrote: > >> This was just an example of variables to use. You have to identify the >> variables by your own for each url. >> A good tool for this is the "Tamper data" plug in for Firefox. >> >> >> >> >> ---------- Forwarded message ---------- >> From: Adrien LEMAIRE <lem...@gm...> >> Date: Wed, Sep 16, 2009 at 1:52 PM >> Subject: Re: [sqlmap-users] Fwd: sqlmap stop after testing User-Agent >> To: Erik Nilsson <da...@gm...> >> Cc: sql...@li... >> >> >> Ok, I have already tried with --data option, but I've put >> "user=user;pass=pass" instead of "user=user&pass=pass", mistake. >> >> So I've retried and the output is : >> >> > $ python sqlmap.py -u >> http://invest.infomirmo.fr/webdesigner/connexion.php -v 1 >> --data="user=user&pass=password" >> > >> > sqlmap/0.7 >> > by Bernardo Damele A. G. <ber...@gm...> >> > >> > [*] starting at: 13:43:07 >> > >> > [13:43:07] [INFO] testing connection to the target url >> > [13:43:07] [INFO] testing if the url is stable, wait a few seconds >> > [13:43:08] [INFO] url is stable >> > [13:43:08] [INFO] testing if POST parameter 'user' is dynamic >> > [13:43:08] [WARNING] POST parameter 'user' is not dynamic >> > [13:43:08] [INFO] testing if POST parameter 'pass' is dynamic >> > [13:43:08] [WARNING] POST parameter 'pass' is not dynamic >> > [13:43:08] [INFO] testing if User-Agent parameter 'User-Agent' is >> > dynamic >> > [13:43:08] [WARNING] User-Agent parameter 'User-Agent' is not dynamic >> > >> > [*] shutting down at: 13:43:08 >> >> >> So I suppose that there is no injection vulnerability, and I should >> use another tool ? >> >> >> >> >> >> >> >> On Wed, Sep 16, 2009 at 1:37 PM, Erik Nilsson <da...@gm...> wrote: >> > >> > You'll need to enter GET and/or POST values like >> > >> > sqlmap-0.7 $ python sqlmap.py -u >> > http://invest.infomirmo.fr/webdesigner/connexion.php -v 1 >> > --data="user=user&password=password" >> > >> > OR >> > >> > sqlmap-0.7 $ python sqlmap.py >> > --url=" >> http://invest.infomirmo.fr/webdesigner/connexion.php?user=user&data=data" >> > >> > ---------- Forwarded message ---------- >> > From: Adrien LEMAIRE <lem...@gm...> >> > Date: Wed, Sep 16, 2009 at 11:35 AM >> > Subject: [sqlmap-users] sqlmap stop after testing User-Agent >> > To: sql...@li... >> > >> > >> > Hi everyone, >> > >> > I'm new to this list mail :) >> > I want to learn how to use sqlmap. I've installed sqlmap on my ubuntu, >> > and tried to launch it : >> > >> > > sqlmap-0.7 $ python sqlmap.py -u >> http://invest.infomirmo.fr/webdesigner/connexion.php -v 1 >> > > >> > > sqlmap/0.7 >> > > by Bernardo Damele A. G. <ber...@gm...> >> > > >> > > [*] starting at: 11:13:17 >> > > >> > > [11:13:17] [INFO] testing connection to the target url >> > > [11:13:17] [INFO] testing if the url is stable, wait a few seconds >> > > [11:13:19] [INFO] url is stable >> > > [11:13:19] [INFO] testing if User-Agent parameter 'User-Agent' is >> dynamic >> > > [11:13:19] [WARNING] User-Agent parameter 'User-Agent' is not dynamic >> > > >> > > [*] shutting down at: 11:13:19 >> > >> > This website is a french site for hacking challenges, and I wanted to >> > try if sqlmap couldn't bruteforce the login/password. >> > But I thought that sqlmap will also test for GET, POST and Cookie >> > before shutting down if nothing is dynamic. >> > >> > Reference to user manual : >> > > >> > > Let's say that you are auditing a web application and found a web page >> that accepts dynamic user-provided values on GET or POST parameters or >> HTTP >> Cookie values or HTTP User-Agent header value. >> > >> > >> > Did I misunderstood something ? Do you think I forgot to configure >> > something in sqlmap config files ? (I havn't modified any file yet). >> > >> > Thank you a lot for your answer, and sorry for disturb.. >> > Best regards, >> > Adrien Lemaire >> > >> > >> ------------------------------------------------------------------------------ >> > Come build with us! The BlackBerry® Developer Conference in SF, CA >> > is the only developer event you need to attend this year. Jumpstart your >> > developing skills, take BlackBerry mobile applications to market and >> > stay >> > ahead of the curve. Join us from November 9-12, 2009. Register >> now! >> > http://p.sf.net/sfu/devconf >> > _______________________________________________ >> > sqlmap-users mailing list >> > sql...@li... >> > https://lists.sourceforge.net/lists/listinfo/sqlmap-users >> > >> > >> ------------------------------------------------------------------------------ >> > Come build with us! The BlackBerry® Developer Conference in SF, CA >> > is the only developer event you need to attend this year. Jumpstart your >> > developing skills, take BlackBerry mobile applications to market and >> > stay >> > ahead of the curve. Join us from November 9-12, 2009. Register >> now! >> > http://p.sf.net/sfu/devconf >> > _______________________________________________ >> > sqlmap-users mailing list >> > sql...@li... >> > https://lists.sourceforge.net/lists/listinfo/sqlmap-users >> >> >> ------------------------------------------------------------------------------ >> Come build with us! The BlackBerry® Developer Conference in SF, CA >> is the only developer event you need to attend this year. Jumpstart your >> developing skills, take BlackBerry mobile applications to market and stay >> ahead of the curve. Join us from November 9-12, 2009. Register >> now! >> http://p.sf.net/sfu/devconf >> _______________________________________________ >> sqlmap-users mailing list >> sql...@li... >> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >> > |