[sqlmap-users] "parameter is not dynamic" / "all parameters are not injectable" error
Brought to you by:
inquisb
Menu
▾
▴
[sqlmap-users] "parameter is not dynamic" / "all parameters are not injectable" error
|
From: ts2112 <ts...@go...> - 2010-10-05 13:45:40
|
Hi! I used the publicly available mutillidae test application to test sqlmap. Whatever I do I get the response "all parameters are not injectable" although this is definitely not the case, as a burp trace shows. Example: ===== Command: $ ./sqlmap.py -u "http://was.sntest.sn/mutillidae/index.php?page=login.php" --data="user_name=test&password=1234&Submit _button=Submit" --method=POST -v 0 --tables --flush-session -p password --proxy "http://localhost:15000" ===== Result 0.9 (similar with 0.8): >>>> sqlmap/0.9-dev - automatic SQL injection and database takeover tool http://sqlmap.sourceforge.net [*] starting at: 15:26:01 [15:26:05] [CRITICAL] all parameters are not injectable [*] shutting down at: 15:26:05 <<<< ===== Among the 38 requests, that burp show, are these 2 >>>> 1. Request -------------- POST /mutillidae/index.php?page=login.php HTTP/1.1 ... <headers> user_name=test&password=1234%29%29%29%20AND%20%28%28%283304=3305&Submit_butt on=Submit 1. Response (no SQL-Injection evidence) -------------- HTTP/1.1 200 OK Date: Tue, 05 Oct 2010 13:26:04 GMT Server: Apache/2.2.12 (Win32) DAV/2 mod_python/3.3.1 Python/2.5.4 mod_ssl/2.2.12 OpenSSL/0.9.8k mod_autoindex_color PHP/5.3.0 mod_jk/1.2.28 mod_perl/2.0.4 Perl/v5.10.0 X-Powered-By: PHP/5.3.0 Content-Length: 5091 Connection: close Content-Type: text/html <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/1999/REC-html401-19991224/loose.dtd"> <html> <head> <meta content="text/html; charset=us-ascii" http-equiv="content-type"> <link rel="shortcut icon" href="favicon.ico" type="image/x-icon" /> </head> <body> <table border="0" width="100%" cellspacing="0" cellpadding="0"> <tr><td bgcolor="#88ff88"align="center" colspan="2"> <table width="100%"> <td valign="top"><a href="index.php"><img border="0" align="top" src="images/coykillericon.png"></a><br>Version 1.3</td> <td align="center" valign="top"><h1><b>Mutillidae: Hack, Learn, Secure, Have Fun!!!</b></h1> <font color="#ff0000">Not logged in</font> ... 2. Request ------------------ POST /mutillidae/index.php?page=login.php HTTP/1.1 ... <Headers> user_name=test&password=1234%27%29%29%29%20AND%20%28%28%28%27xUjr%27=%27xUjr &Submit_button=Submit 2. Response (evidence of SQL-Injection) ------------------ HTTP/1.1 200 OK Date: Tue, 05 Oct 2010 13:26:04 GMT Server: Apache/2.2.12 (Win32) DAV/2 mod_python/3.3.1 Python/2.5.4 mod_ssl/2.2.12 OpenSSL/0.9.8k mod_autoindex_color PHP/5.3.0 mod_jk/1.2.28 mod_perl/2.0.4 Perl/v5.10.0 X-Powered-By: PHP/5.3.0 Content-Length: 359 Connection: close Content-Type: text/html Did you <a href="setupreset.php">setup/reset the DB</a>? <p><b>SQL Error:</b>You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '))) AND ((('xUjr'='xUjr'' at line 1<p><b>SQL Statement:</b>SELECT * FROM accounts WHERE username='test' AND password='1234'))) AND ((('xUjr'='xUjr' <<<< To my understanding, by the difference of those responses and the pattern in the second sqlmap should recognize that there *is* an SQL Injection. Thank you! Thomas |
