Re: [sqlmap-users] [WARNING] GET parameter 'id' is not dynamic
Brought to you by:
inquisb
From: Ryan D. <rya...@gm...> - 2010-02-23 00:42:26
|
Ok, the cookies now seem to be being sent however sqlmap is still reporting that it is uninjectable. The working command is: #./sqlmap.py -u "http://127.0.0.1/dvwa_svn/vulnerabilities/sqli/?id=1" --cookie="security=low; PHPSESSID=25e295bd67654538970df074f7083d2d" -p id -v 3 I have checked and double checked the cookie values. On 23 February 2010 00:21, Ryan Dewhurst <rya...@gm...> wrote: > I removed the ; from the command and it seemed to test the id > parameter however it is saying it is not injectable when it clearly > is. > > I am running MySQL5. The one pre installed in Backtrack 4 Final by default. > > Thank you. > > On 23 February 2010 00:17, Ryan Dewhurst <rya...@gm...> wrote: >> When I add the -p flag I get the following error: >> >> bash: -p: command not found >> >> Because it is interpreting the flag as a separate command It must be >> my cookie syntax which is incorrect. It is possibly ending the sqlmap >> command after the ; >> >> Does any one know if I am using the correct syntax for the cookies? >> >> Thanks again! >> >> On 23 February 2010 00:12, Patrick Webster <pa...@au...> wrote: >>> try adding >>> >>> -p id >>> >>> to force it to test id >>> >>> -Patrick >>> >>> On Tue, Feb 23, 2010 at 11:09 AM, Ryan Dewhurst <rya...@gm...> wrote: >>>> Hi, >>>> Trying to get sqlmap to run against DVWA's SQL injection page. DVWA >>>> has a normal PHP login form which when logged in sets the following >>>> cookies: >>>> >>>> Cookies: security=low; PHPSESSID=25e295bd67654538970df074f7083d2d >>>> >>>> Here is the command and error I am receiving, any help appreciated. >>>> >>>> ------------------------------------------------------------------------------------------------------ >>>> #./sqlmap.py -u "http://127.0.0.1/dvwa_svn/vulnerabilities/sqli/?id=1" >>>> --cookie=security=low; PHPSESSID=25e295bd67654538970df074f7083d2d >>>> >>>> sqlmap/0.8-rc4 >>>> by Bernardo Damele A. G. <ber...@gm...> >>>> >>>> [*] starting at: 00:03:28 >>>> >>>> [00:03:28] [INFO] using >>>> '/pentest/database/sqlmap/output/127.0.0.1/session' as session file >>>> [00:03:28] [INFO] resuming match ratio '0.998' from session file >>>> [00:03:28] [INFO] testing connection to the target url >>>> you provided an HTTP Cookie header value. The target url provided its >>>> own Cookie within the HTTP Set-Cookie header. Do you want to continue >>>> using the HTTP Cookie values that you provided? [Y/n] y >>>> [00:03:41] [INFO] testing if the url is stable, wait a few seconds >>>> [00:03:42] [INFO] url is stable >>>> [00:03:42] [INFO] testing if User-Agent parameter 'User-Agent' is dynamic >>>> [00:03:42] [WARNING] User-Agent parameter 'User-Agent' is not dynamic >>>> [00:03:42] [INFO] testing if Cookie parameter 'security' is dynamic >>>> [00:03:42] [WARNING] Cookie parameter 'security' is not dynamic >>>> [00:03:42] [INFO] testing if GET parameter 'id' is dynamic >>>> [00:03:43] [WARNING] GET parameter 'id' is not dynamic >>>> >>>> [*] shutting down at: 00:03:43 >>>> --------------------------------------------------------------------------------------------------------------------- >>>> >>>> Thank you, >>>> Ryan >>>> >>>> -- >>>> Ryan Dewhurst >>>> >>>> http://www.ethicalhack3r.co.uk >>>> http://www.dvwa.co.uk >>>> http://www.twitter.com/ethicalhack3r >>>> >>>> ------------------------------------------------------------------------------ >>>> Download Intel® Parallel Studio Eval >>>> Try the new software tools for yourself. Speed compiling, find bugs >>>> proactively, and fine-tune applications for parallel performance. >>>> See why Intel Parallel Studio got high marks during beta. >>>> http://p.sf.net/sfu/intel-sw-dev >>>> _______________________________________________ >>>> sqlmap-users mailing list >>>> sql...@li... >>>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >>>> >>> >> >> >> >> -- >> Ryan Dewhurst >> >> http://www.ethicalhack3r.co.uk >> http://www.dvwa.co.uk >> http://www.twitter.com/ethicalhack3r >> > > > > -- > Ryan Dewhurst > > http://www.ethicalhack3r.co.uk > http://www.dvwa.co.uk > http://www.twitter.com/ethicalhack3r > -- Ryan Dewhurst http://www.ethicalhack3r.co.uk http://www.dvwa.co.uk http://www.twitter.com/ethicalhack3r |