[sqlmap-users] Need some help with a basic vulnerability
Brought to you by:
inquisb
From: Tristan F. <tri...@gm...> - 2009-09-17 16:25:56
|
Hello, I don't know why but a really really basic injection is not detected. The URL is like www.host.com?news_id=270&zone_id=4<http://www.host.com/?news_id=270&zone_id=4>and when I'm doing www.host.com?news_id=270&zone_id=4<http://www.host.com/?news_id=270&zone_id=4>OR 1 it displays every news, when I'm doing news_id=270 AND 0 it displays no news. When I'm doing news_id=270 THISISATEST it displays a mysql error. So it's definitely injectable and that's not a "rare" type of injection. Now I would like to learn to use sqlmap to find these injections and how to use it but when I'm doing this : sqlmap.exe -u "http://www.host.com/news.php?news_id=270&zone_id=4<http://www.siig.fr/fr/consnews2.php?news_id=270&zone_id=4>" -v 1 It says that both news_id and zone_id aren't injectables ! I tried using the -p parameter like that : -p zone_id but it doesn't change anything. I don't think that sqlmap can't detect such basic injections, so could you tell me what are the proper parameters to detect something simple like that ? Thanks :) |