Re: [sqlmap-users] forcing sqlmap to detect a vulnerability
Brought to you by:
inquisb
From: Bernardo D. A. G. <ber...@gm...> - 2009-12-22 09:48:45
|
The problem is that by (wrong) design, sqlmap checks only for boolean-based blind SQL injection at first place. It assumes that if the parameter is not vulnerable by this specific type of SQL injection, then it's not by any, included inband. This assumpting is obviously wrong and as I wrote few times recently, the weak part of sqlmap is as of today the detection. This will be totally rewritten as soon as possible. In the meanwhile you can hack around the source code if you want. Cheers, Bernardo On Tue, Dec 22, 2009 at 07:22, Adi Mutu <adi...@ya...> wrote: > > Hello, > > I have found manually an inband vulnerability which uses ms-sql as a db > server, however sqlmap is unable to detect it. I've tried creating a log > file (similar to the one created with -s option by sqlmap), I have filled > all the data I thought necessary hand, so that sqlmap can read it from > there......however this doesn't work also and sqlmap goes blind....Any idea > why? Or can you show me the correct syntax of this log file? > > Thanks, > ps: of course making sqlmap detect the vuln. in the first place, would be > perfect;).... > > > > ------------------------------------------------------------------------------ > This SF.Net email is sponsored by the Verizon Developer Community > Take advantage of Verizon's best-in-class app development support > A streamlined, 14 day to market process makes app distribution fast and easy > Join now and get one step closer to millions of Verizon customers > http://p.sf.net/sfu/verizon-dev2dev > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > > -- Bernardo Damele A. G. E-mail / Jabber: bernardo.damele (at) gmail.com Mobile: +447788962949 (UK 07788962949) PGP Key ID: 0x05F5A30F |