Re: [sqlmap-users] Basic injection not working... Help.
Brought to you by:
inquisb
Menu
▾
▴
Re: [sqlmap-users] Basic injection not working... Help.
|
From: Bernardo D. A. G. <ber...@gm...> - 2009-09-17 16:44:20
|
Hi Tristan, First of all, are you allowed to test that url? If you are, could you please try manually be injecting AND 3=3 to the news_id parameter first and AND 3=4 later and see if the result is as expected. During the detection phase, sqlmap tries to identify injectable parameters only via AND, never via OR, for a few reasons highlighted some months back on this mailing list. This is the reason why, for the moment, sqlmap does not detect zone_id as an injectable parameter. Also, try to provide to sqlmap a string (--string option) or a regular expression (Python compliant) to match on, refer to the user's manual for details. Cheers, Bernardo On Thu, Sep 17, 2009 at 17:04, Tristan Foureur <tri...@gm...> wrote: > ... > It says that both news_id and zone_id aren't injectables ! I tried using the > -p parameter like that : -p zone_id but it doesn't change anything. > > I don't think that sqlmap can't detect such basic injections, so could you > tell me what is the proper parameters to detect something simple like that, > and then how to exploit it ? -- Bernardo Damele A. G. E-mail / Jabber: bernardo.damele (at) gmail.com Mobile: +447788962949 (UK 07788962949) PGP Key ID: 0x05F5A30F |
