Re: [sqlmap-users] [WARNING] GET parameter 'id' is not dynamic
Brought to you by:
inquisb
Menu
▾
▴
Re: [sqlmap-users] [WARNING] GET parameter 'id' is not dynamic
|
From: Miroslav S. <mir...@gm...> - 2010-02-23 09:12:46
|
Hi. There was a bug with sqlmap when proxy was set (http_proxy environment variable on lnx) and sqlmap was run against the 127.0.0.1/localhostaddresses. Same thing was happening to me too. Maybe this is not the same, but I would recommend you to get the latest development version from the official pages (svn checkout https://svn.sqlmap.org/sqlmap/trunk/sqlmap/) and take a shot. Kind regards. On Tue, Feb 23, 2010 at 1:33 AM, Ryan Dewhurst <rya...@gm...>wrote: > Ok, the cookies now seem to be being sent however sqlmap is still > reporting that it is uninjectable. The working command is: > > #./sqlmap.py -u "http://127.0.0.1/dvwa_svn/vulnerabilities/sqli/?id=1" > --cookie="security=low; PHPSESSID=25e295bd67654538970df074f7083d2d" -p > id -v 3 > > I have checked and double checked the cookie values. > > On 23 February 2010 00:21, Ryan Dewhurst <rya...@gm...> wrote: > > I removed the ; from the command and it seemed to test the id > > parameter however it is saying it is not injectable when it clearly > > is. > > > > I am running MySQL5. The one pre installed in Backtrack 4 Final by > default. > > > > Thank you. > > > > On 23 February 2010 00:17, Ryan Dewhurst <rya...@gm...> wrote: > >> When I add the -p flag I get the following error: > >> > >> bash: -p: command not found > >> > >> Because it is interpreting the flag as a separate command It must be > >> my cookie syntax which is incorrect. It is possibly ending the sqlmap > >> command after the ; > >> > >> Does any one know if I am using the correct syntax for the cookies? > >> > >> Thanks again! > >> > >> On 23 February 2010 00:12, Patrick Webster <pa...@au...> wrote: > >>> try adding > >>> > >>> -p id > >>> > >>> to force it to test id > >>> > >>> -Patrick > >>> > >>> On Tue, Feb 23, 2010 at 11:09 AM, Ryan Dewhurst < > rya...@gm...> wrote: > >>>> Hi, > >>>> Trying to get sqlmap to run against DVWA's SQL injection page. DVWA > >>>> has a normal PHP login form which when logged in sets the following > >>>> cookies: > >>>> > >>>> Cookies: security=low; PHPSESSID=25e295bd67654538970df074f7083d2d > >>>> > >>>> Here is the command and error I am receiving, any help appreciated. > >>>> > >>>> > ------------------------------------------------------------------------------------------------------ > >>>> #./sqlmap.py -u "http://127.0.0.1/dvwa_svn/vulnerabilities/sqli/?id=1 > " > >>>> --cookie=security=low; PHPSESSID=25e295bd67654538970df074f7083d2d > >>>> > >>>> sqlmap/0.8-rc4 > >>>> by Bernardo Damele A. G. <ber...@gm...> > >>>> > >>>> [*] starting at: 00:03:28 > >>>> > >>>> [00:03:28] [INFO] using > >>>> '/pentest/database/sqlmap/output/127.0.0.1/session' as session file > >>>> [00:03:28] [INFO] resuming match ratio '0.998' from session file > >>>> [00:03:28] [INFO] testing connection to the target url > >>>> you provided an HTTP Cookie header value. The target url provided its > >>>> own Cookie within the HTTP Set-Cookie header. Do you want to continue > >>>> using the HTTP Cookie values that you provided? [Y/n] y > >>>> [00:03:41] [INFO] testing if the url is stable, wait a few seconds > >>>> [00:03:42] [INFO] url is stable > >>>> [00:03:42] [INFO] testing if User-Agent parameter 'User-Agent' is > dynamic > >>>> [00:03:42] [WARNING] User-Agent parameter 'User-Agent' is not dynamic > >>>> [00:03:42] [INFO] testing if Cookie parameter 'security' is dynamic > >>>> [00:03:42] [WARNING] Cookie parameter 'security' is not dynamic > >>>> [00:03:42] [INFO] testing if GET parameter 'id' is dynamic > >>>> [00:03:43] [WARNING] GET parameter 'id' is not dynamic > >>>> > >>>> [*] shutting down at: 00:03:43 > >>>> > --------------------------------------------------------------------------------------------------------------------- > >>>> > >>>> Thank you, > >>>> Ryan > >>>> > >>>> -- > >>>> Ryan Dewhurst > >>>> > >>>> http://www.ethicalhack3r.co.uk > >>>> http://www.dvwa.co.uk > >>>> http://www.twitter.com/ethicalhack3r > >>>> > >>>> > ------------------------------------------------------------------------------ > >>>> Download Intel® Parallel Studio Eval > >>>> Try the new software tools for yourself. Speed compiling, find bugs > >>>> proactively, and fine-tune applications for parallel performance. > >>>> See why Intel Parallel Studio got high marks during beta. > >>>> http://p.sf.net/sfu/intel-sw-dev > >>>> _______________________________________________ > >>>> sqlmap-users mailing list > >>>> sql...@li... > >>>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users > >>>> > >>> > >> > >> > >> > >> -- > >> Ryan Dewhurst > >> > >> http://www.ethicalhack3r.co.uk > >> http://www.dvwa.co.uk > >> http://www.twitter.com/ethicalhack3r > >> > > > > > > > > -- > > Ryan Dewhurst > > > > http://www.ethicalhack3r.co.uk > > http://www.dvwa.co.uk > > http://www.twitter.com/ethicalhack3r > > > > > > -- > Ryan Dewhurst > > http://www.ethicalhack3r.co.uk > http://www.dvwa.co.uk > http://www.twitter.com/ethicalhack3r > > > ------------------------------------------------------------------------------ > Download Intel® Parallel Studio Eval > Try the new software tools for yourself. Speed compiling, find bugs > proactively, and fine-tune applications for parallel performance. > See why Intel Parallel Studio got high marks during beta. > http://p.sf.net/sfu/intel-sw-dev > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > -- Miroslav Stampar E-mail / Jabber: miroslav.stampar (at) gmail.com Mobile: +385921010204 (HR 0921010204) PGP Key ID: 0xB5397B1B |
