[sqlmap-users] Using sqlmap with POST values

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

Hi all

I'm playing with sqlmap and it seems to be working quite well for GET based
parameters.  However, for POST I'm not sure if it's working.  To test sqlmap
out, I've downloaded and installed Mutillidae (
http://www.irongeek.com/i.php?page=security/mutillidae-deliberately-vulnerable-php-owasp-top-10)
and have been looking at the login page.  I know that the password field is
vulnerable to SQL injection, and have entered the following command to
sqlmap:

sqlmap -u "http://localhost/mutillidae/index.php?page=login.php" --method
"POST" --
data "user_name=foo&password=bar&Submit_button=Submit" --current-user
--is-dba --flush-session

This results in the following output:

    sqlmap/0.8 - automatic SQL injection and database takeover tool
    http://sqlmap.sourceforge.net

[*] starting at: 17:01:17

[17:01:17] [INFO] using 'C:\Program
Files\sqlmap-0.8_exe\output\localhost\session' as session file
[17:01:17] [INFO] flushing session file
[17:01:17] [INFO] testing connection to the target url
[17:01:18] [INFO] testing if the url is stable, wait a few seconds
[17:01:21] [INFO] url is stable
[17:01:21] [INFO] testing if POST parameter 'password' is dynamic
[17:01:22] [WARNING] POST parameter 'password' is not dynamic
[17:01:22] [INFO] testing if POST parameter 'user_name' is dynamic
[17:01:23] [WARNING] POST parameter 'user_name' is not dynamic
[17:01:24] [INFO] testing if POST parameter 'Submit_button' is dynamic
[17:01:25] [WARNING] POST parameter 'Submit_button' is not dynamic
[17:01:25] [INFO] testing if User-Agent parameter 'User-Agent' is dynamic
[17:01:26] [WARNING] User-Agent parameter 'User-Agent' is not dynamic
[17:01:26] [INFO] testing if GET parameter 'page' is dynamic
[17:01:27] [INFO] confirming that GET parameter 'page' is dynamic
[17:01:29] [INFO] GET parameter 'page' is dynamic
[17:01:29] [INFO] testing sql injection on GET parameter 'page' with 0
parenthesis
[17:01:29] [INFO] testing unescaped numeric injection on GET parameter
'page'
[17:01:30] [INFO] GET parameter 'page' is not unescaped numeric injectable
[17:01:30] [INFO] testing single quoted string injection on GET parameter
'page'
[17:01:31] [INFO] GET parameter 'page' is not single quoted string
injectable
[17:01:31] [INFO] testing LIKE single quoted string injection on GET
parameter 'page'
[17:01:32] [INFO] GET parameter 'page' is not LIKE single quoted string
injectable
[17:01:32] [INFO] testing double quoted string injection on GET parameter
'page'
[17:01:34] [INFO] GET parameter 'page' is not double quoted string
injectable
[17:01:34] [INFO] testing LIKE double quoted string injection on GET
parameter 'page'
[17:01:35] [INFO] GET parameter 'page' is not LIKE double quoted string
injectable
[17:01:35] [INFO] GET parameter 'page' is not injectable with 0 parenthesis
[17:01:35] [INFO] testing sql injection on GET parameter 'page' with 1
parenthesis
[17:01:35] [INFO] testing unescaped numeric injection on GET parameter
'page'
[17:01:36] [INFO] GET parameter 'page' is not unescaped numeric injectable
[17:01:36] [INFO] testing single quoted string injection on GET parameter
'page'
[17:01:37] [INFO] GET parameter 'page' is not single quoted string
injectable
[17:01:37] [INFO] testing LIKE single quoted string injection on GET
parameter 'page'
[17:01:38] [INFO] GET parameter 'page' is not LIKE single quoted string
injectable
[17:01:38] [INFO] testing double quoted string injection on GET parameter
'page'
[17:01:39] [INFO] GET parameter 'page' is not double quoted string
injectable
[17:01:39] [INFO] testing LIKE double quoted string injection on GET
parameter 'page'
[17:01:40] [INFO] GET parameter 'page' is not LIKE double quoted string
injectable
[17:01:40] [INFO] GET parameter 'page' is not injectable with 1 parenthesis
[17:01:40] [INFO] testing sql injection on GET parameter 'page' with 2
parenthesis
[17:01:40] [INFO] testing unescaped numeric injection on GET parameter
'page'
[17:01:41] [INFO] GET parameter 'page' is not unescaped numeric injectable
[17:01:41] [INFO] testing single quoted string injection on GET parameter
'page'
[17:01:42] [INFO] GET parameter 'page' is not single quoted string
injectable
[17:01:42] [INFO] testing LIKE single quoted string injection on GET
parameter 'page'
[17:01:43] [INFO] GET parameter 'page' is not LIKE single quoted string
injectable
[17:01:43] [INFO] testing double quoted string injection on GET parameter
'page'
[17:01:44] [INFO] GET parameter 'page' is not double quoted string
injectable
[17:01:44] [INFO] testing LIKE double quoted string injection on GET
parameter 'page'
[17:01:45] [INFO] GET parameter 'page' is not LIKE double quoted string
injectable
[17:01:45] [INFO] GET parameter 'page' is not injectable with 2 parenthesis
[17:01:45] [INFO] testing sql injection on GET parameter 'page' with 3
parenthesis
[17:01:45] [INFO] testing unescaped numeric injection on GET parameter
'page'
[17:01:46] [INFO] GET parameter 'page' is not unescaped numeric injectable
[17:01:46] [INFO] testing single quoted string injection on GET parameter
'page'
[17:01:47] [INFO] GET parameter 'page' is not single quoted string
injectable
[17:01:47] [INFO] testing LIKE single quoted string injection on GET
parameter 'page'
[17:01:49] [INFO] GET parameter 'page' is not LIKE single quoted string
injectable
[17:01:49] [INFO] testing double quoted string injection on GET parameter
'page'
[17:01:50] [INFO] GET parameter 'page' is not double quoted string
injectable
[17:01:50] [INFO] testing LIKE double quoted string injection on GET
parameter 'page'
[17:01:51] [INFO] GET parameter 'page' is not LIKE double quoted string
injectable
[17:01:51] [INFO] GET parameter 'page' is not injectable with 3 parenthesis
[17:01:51] [WARNING] GET parameter 'page' is not injectable

[*] shutting down at: 17:01:51

I've used this page with an interception proxy and these three POST values
are the only ones that are sent.

Does anyone have any idea where I'm going wrong with sqlmap with regards to
using it with vulnerable POST values?  I've managed to enumerate databases
with vulnerable ?id=x type GET parameters but not this.

Thanks in advance!

Chris