Re: [sqlmap-users] Basic injection not working... Help.
Brought to you by:
inquisb
From: Kyle A. <ky...@xk...> - 2009-09-17 16:38:46
|
He may be busted :) But this seems like a bug report really. And how can one allow a developer to reproduce the bug without providing steps to reproduce it? I also can't get sqlmap to identify any injectable variables. Kyle On 9/17/09, Erik Nilsson <da...@gm...> wrote: > LOL! > > On Thu, Sep 17, 2009 at 6:10 PM, Ryan Dewhurst <rya...@gm...> > wrote: >> Busted! >> >> 2009/9/17 Patrick Webster <pa...@au...>: >>> It is probably not a good idea to attack http://www.siig.fr >>> >>> -Patrick >>> >>> On Fri, Sep 18, 2009 at 2:04 AM, Tristan Foureur >>> <tri...@gm...> >>> wrote: >>>> >>>> Hello, >>>> >>>> I don't know why but a really really basic injection is not detected. >>>> The >>>> URL is like www.host.com?news_id=270&zone_id=4 and when I'm doing >>>> >>>> www.host.com?news_id=270&zone_id=4 OR 1 it displays every news, when I'm >>>> doing news_id=270 AND 0 it displays no news. When I'm doing news_id=270 >>>> THISISATEST it displays a mysql error. >>>> >>>> So it's definitely injectable and that's not a "rare" type of injection. >>>> >>>> Now I would like to learn to use sqlmap to find these injections and how >>>> to use it but when I'm doing this : >>>> >>>> sqlmap.exe -u >>>> "http://www.siig.fr/fr/consnews2.php?news_id=270&zone_id=4" >>>> -v 1 >>>> >>>> It says that both news_id and zone_id aren't injectables ! I tried using >>>> the -p parameter like that : -p zone_id but it doesn't change anything. >>>> >>>> I don't think that sqlmap can't detect such basic injections, so could >>>> you >>>> tell me what is the proper parameters to detect something simple like >>>> that, >>>> and then how to exploit it ? >>>> >>>> Thanks :) >>>> >>>> >>>> ------------------------------------------------------------------------------ >>>> Come build with us! The BlackBerry® Developer Conference in SF, CA >>>> is the only developer event you need to attend this year. Jumpstart your >>>> developing skills, take BlackBerry mobile applications to market and >>>> stay >>>> ahead of the curve. Join us from November 9-12, 2009. Register >>>> now! >>>> http://p.sf.net/sfu/devconf >>>> _______________________________________________ >>>> sqlmap-users mailing list >>>> sql...@li... >>>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >>>> >>> >>> >>> ------------------------------------------------------------------------------ >>> Come build with us! The BlackBerry® Developer Conference in SF, CA >>> is the only developer event you need to attend this year. Jumpstart your >>> developing skills, take BlackBerry mobile applications to market and stay >>> ahead of the curve. Join us from November 9-12, 2009. Register >>> now! >>> http://p.sf.net/sfu/devconf >>> _______________________________________________ >>> sqlmap-users mailing list >>> sql...@li... >>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >>> >>> >> >> ------------------------------------------------------------------------------ >> Come build with us! The BlackBerry® Developer Conference in SF, CA >> is the only developer event you need to attend this year. Jumpstart your >> developing skills, take BlackBerry mobile applications to market and stay >> ahead of the curve. Join us from November 9-12, 2009. Register >> now! >> http://p.sf.net/sfu/devconf >> _______________________________________________ >> sqlmap-users mailing list >> sql...@li... >> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >> > > ------------------------------------------------------------------------------ > Come build with us! The BlackBerry® Developer Conference in SF, CA > is the only developer event you need to attend this year. Jumpstart your > developing skills, take BlackBerry mobile applications to market and stay > ahead of the curve. Join us from November 9-12, 2009. Register now! > http://p.sf.net/sfu/devconf > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > |