Re: [sqlmap-users] Blind SQL Injection
Brought to you by:
inquisb
From: Pagera <pag...@gm...> - 2010-03-26 14:32:45
|
hello it didnt wrok what im trying to do is sqlmap -u "http://example.com/images.php?id=10" --string="id" the url is vulnerable cuz when i use the browser with http://example.com/images.php?id=10 and 1=2 im able to see the MySql error and i tried so much function like version() it works i also used http://example.com/images.php?id=10 union select 1,2,3,group_concat(table_name),5,6,7 from information_schema.tables and i got the table names but when using sqlmap there is nothing it acts like the url is not vulnerable i also used --prefix="id" --postfix="1=1" and also nothing David Guimaraes wrote: > Try passing --string parameter to sqlmap. > > --string=STRING String to match in page when the query is valid > > On Thu, Mar 25, 2010 at 6:18 PM, Pagera <pag...@gm... > <mailto:pag...@gm...>> wrote: > > Hello and hope fine > thank bernardo for the DirBuster > > a question about Blind sql injection > does SQLMap support this mode? > > i used --UNION-USE but it failed .. i have a vulnerable url > im able to view all database information by manipulating the http url > like "version() , etc > but when im using SQLMap the result is that this url is not > vulnerable!!! > > im wondering if its cuz of not supporting Blind Mode? > > and thank for help > > > > ------------------------------------------------------------------------------ > Download Intel® Parallel Studio Eval > Try the new software tools for yourself. Speed compiling, find bugs > proactively, and fine-tune applications for parallel performance. > See why Intel Parallel Studio got high marks during beta. > http://p.sf.net/sfu/intel-sw-dev > _______________________________________________ > sqlmap-users mailing list > sql...@li... > <mailto:sql...@li...> > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > > > > > -- > David Gomes Guimarães |