Re: [sqlmap-users] Problem with sqlmap
Brought to you by:
inquisb
Menu
▾
▴
Re: [sqlmap-users] Problem with sqlmap
|
From: Bernardo D. A. G. <ber...@gm...> - 2009-12-04 00:33:57
|
Hi Tim,
What is the url you provided sqlmap with?
Did you manually confirm that the page content differs when true and
false conditions are injected for zahl2 parameter?
Cheers,
Bernardo
On Tue, Nov 17, 2009 at 11:03, Tim Jordans <ma...@ti...> wrote:
> Hello,
> my name is Tim Jordans.
>
> First of all i have tested sqlmap and thanks for the tool.
>
> I stumbled upon a problem. In the following php-script sqlmap did not
> find any injection:
>
> mysql_query('SELECT * FROM tb_apotheke WHERE AID="'.
> mysql_real_escape_string($_REQUEST['zahl1']).'" OR AID='.
> $_REQUEST['zahl2'].' OR AID="'.
> mysql_real_escape_string($_REQUEST['zahl3']).'"'
> );
>
> Although the middle parameter is not escaped sqlmap can´t inject. I was
> wondering if the statement is not unsecure or is this not part of the
> sqlmap testing routine.
>
> I hope that someone could help me with this problem.
>
> greetings
> tim jordans
>
> ------------------------------------------------------------------------------
> Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day
> trial. Simplify your report design, integration and deployment - and focus on
> what you do best, core application coding. Discover what's new with
> Crystal Reports now. http://p.sf.net/sfu/bobj-july
> _______________________________________________
> sqlmap-users mailing list
> sql...@li...
> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>
--
Bernardo Damele A. G.
E-mail / Jabber: bernardo.damele (at) gmail.com
Mobile: +447788962949 (UK 07788962949)
PGP Key ID: 0x05F5A30F
|