[sqlmap-users] Dynamic parameter
Brought to you by:
inquisb
From: Wu, M. <Mic...@FM...> - 2010-03-08 23:16:53
|
Hi, I'm just starting with SQLMap. I have an app that has known SQL inject vulnerabilities. http://www.badstore.net/ Here is the url after the application is installed and configured. http://192.168.56.104/cgi-bin/badstore.cgi?searchquery=Money&action=sear ch&x=0&y=0 The searchquery parameter is known to have SQL injection vulnerabilities (confirmed manaully as follows), http://192.168.56.104/cgi-bin/badstore.cgi?searchquery=Money%27&action=s earch&x=0&y=0 DBD::mysql::st execute failed: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''Money'' IN (itemnum,sdesc,ldesc)' at line 1 at /usr/local/apache/cgi-bin/badstore.cgi line 207. but SQL map 0.7 and 0.8-dev consistently report that this parameter is not "dynamic". Could someone help please? SQL map output GET http://192.168.56.104:80/cgi-bin/badstore.cgi?searchquery=Money&action=s earch&x=19&y=12 do you want to test this url? [Y/n/q] > Y [17:33:16] [INFO] testing url http://192.168.56.104:80/cgi-bin/badstore.cgi?searchquery=Money&action=s earch&x=19&y=12 [17:33:16] [INFO] testing connection to the target url [17:33:16] [INFO] testing if the url is stable, wait a few seconds [17:33:18] [INFO] url is stable ... [17:33:21] [INFO] testing if GET parameter 'x' is dynamic [17:33:21] [WARNING] GET parameter 'x' is not dynamic [17:33:21] [INFO] testing if GET parameter 'searchquery' is dynamic [17:33:21] [WARNING] GET parameter 'searchquery' is not dynamic [17:33:21] [INFO] testing if GET parameter 'y' is dynamic [17:33:21] [WARNING] GET parameter 'y' is not dynamic Regards Michael |