Re: [sqlmap-users] Using sqlmap with POST values
Brought to you by:
inquisb
Menu
▾
▴
Re: [sqlmap-users] Using sqlmap with POST values
|
From: Miroslav S. <mir...@gm...> - 2011-01-06 08:06:16
|
hi Chris. have you tried with the latest development version from our SVN repository? kr On Wed, Jan 5, 2011 at 6:22 PM, Chris Oakley <chr...@gm...>wrote: > Hi all > > I'm playing with sqlmap and it seems to be working quite well for GET based > parameters. However, for POST I'm not sure if it's working. To test sqlmap > out, I've downloaded and installed Mutillidae ( > http://www.irongeek.com/i.php?page=security/mutillidae-deliberately-vulnerable-php-owasp-top-10) > and have been looking at the login page. I know that the password field is > vulnerable to SQL injection, and have entered the following command to > sqlmap: > > sqlmap -u "http://localhost/mutillidae/index.php?page=login.php" --method > "POST" -- > data "user_name=foo&password=bar&Submit_button=Submit" --current-user > --is-dba --flush-session > > This results in the following output: > > sqlmap/0.8 - automatic SQL injection and database takeover tool > http://sqlmap.sourceforge.net > > [*] starting at: 17:01:17 > > [17:01:17] [INFO] using 'C:\Program > Files\sqlmap-0.8_exe\output\localhost\session' as session file > [17:01:17] [INFO] flushing session file > [17:01:17] [INFO] testing connection to the target url > [17:01:18] [INFO] testing if the url is stable, wait a few seconds > [17:01:21] [INFO] url is stable > [17:01:21] [INFO] testing if POST parameter 'password' is dynamic > [17:01:22] [WARNING] POST parameter 'password' is not dynamic > [17:01:22] [INFO] testing if POST parameter 'user_name' is dynamic > [17:01:23] [WARNING] POST parameter 'user_name' is not dynamic > [17:01:24] [INFO] testing if POST parameter 'Submit_button' is dynamic > [17:01:25] [WARNING] POST parameter 'Submit_button' is not dynamic > [17:01:25] [INFO] testing if User-Agent parameter 'User-Agent' is dynamic > [17:01:26] [WARNING] User-Agent parameter 'User-Agent' is not dynamic > [17:01:26] [INFO] testing if GET parameter 'page' is dynamic > [17:01:27] [INFO] confirming that GET parameter 'page' is dynamic > [17:01:29] [INFO] GET parameter 'page' is dynamic > [17:01:29] [INFO] testing sql injection on GET parameter 'page' with 0 > parenthesis > [17:01:29] [INFO] testing unescaped numeric injection on GET parameter > 'page' > [17:01:30] [INFO] GET parameter 'page' is not unescaped numeric injectable > [17:01:30] [INFO] testing single quoted string injection on GET parameter > 'page' > [17:01:31] [INFO] GET parameter 'page' is not single quoted string > injectable > [17:01:31] [INFO] testing LIKE single quoted string injection on GET > parameter 'page' > [17:01:32] [INFO] GET parameter 'page' is not LIKE single quoted string > injectable > [17:01:32] [INFO] testing double quoted string injection on GET parameter > 'page' > [17:01:34] [INFO] GET parameter 'page' is not double quoted string > injectable > [17:01:34] [INFO] testing LIKE double quoted string injection on GET > parameter 'page' > [17:01:35] [INFO] GET parameter 'page' is not LIKE double quoted string > injectable > [17:01:35] [INFO] GET parameter 'page' is not injectable with 0 parenthesis > [17:01:35] [INFO] testing sql injection on GET parameter 'page' with 1 > parenthesis > [17:01:35] [INFO] testing unescaped numeric injection on GET parameter > 'page' > [17:01:36] [INFO] GET parameter 'page' is not unescaped numeric injectable > [17:01:36] [INFO] testing single quoted string injection on GET parameter > 'page' > [17:01:37] [INFO] GET parameter 'page' is not single quoted string > injectable > [17:01:37] [INFO] testing LIKE single quoted string injection on GET > parameter 'page' > [17:01:38] [INFO] GET parameter 'page' is not LIKE single quoted string > injectable > [17:01:38] [INFO] testing double quoted string injection on GET parameter > 'page' > [17:01:39] [INFO] GET parameter 'page' is not double quoted string > injectable > [17:01:39] [INFO] testing LIKE double quoted string injection on GET > parameter 'page' > [17:01:40] [INFO] GET parameter 'page' is not LIKE double quoted string > injectable > [17:01:40] [INFO] GET parameter 'page' is not injectable with 1 parenthesis > [17:01:40] [INFO] testing sql injection on GET parameter 'page' with 2 > parenthesis > [17:01:40] [INFO] testing unescaped numeric injection on GET parameter > 'page' > [17:01:41] [INFO] GET parameter 'page' is not unescaped numeric injectable > [17:01:41] [INFO] testing single quoted string injection on GET parameter > 'page' > [17:01:42] [INFO] GET parameter 'page' is not single quoted string > injectable > [17:01:42] [INFO] testing LIKE single quoted string injection on GET > parameter 'page' > [17:01:43] [INFO] GET parameter 'page' is not LIKE single quoted string > injectable > [17:01:43] [INFO] testing double quoted string injection on GET parameter > 'page' > [17:01:44] [INFO] GET parameter 'page' is not double quoted string > injectable > [17:01:44] [INFO] testing LIKE double quoted string injection on GET > parameter 'page' > [17:01:45] [INFO] GET parameter 'page' is not LIKE double quoted string > injectable > [17:01:45] [INFO] GET parameter 'page' is not injectable with 2 parenthesis > [17:01:45] [INFO] testing sql injection on GET parameter 'page' with 3 > parenthesis > [17:01:45] [INFO] testing unescaped numeric injection on GET parameter > 'page' > [17:01:46] [INFO] GET parameter 'page' is not unescaped numeric injectable > [17:01:46] [INFO] testing single quoted string injection on GET parameter > 'page' > [17:01:47] [INFO] GET parameter 'page' is not single quoted string > injectable > [17:01:47] [INFO] testing LIKE single quoted string injection on GET > parameter 'page' > [17:01:49] [INFO] GET parameter 'page' is not LIKE single quoted string > injectable > [17:01:49] [INFO] testing double quoted string injection on GET parameter > 'page' > [17:01:50] [INFO] GET parameter 'page' is not double quoted string > injectable > [17:01:50] [INFO] testing LIKE double quoted string injection on GET > parameter 'page' > [17:01:51] [INFO] GET parameter 'page' is not LIKE double quoted string > injectable > [17:01:51] [INFO] GET parameter 'page' is not injectable with 3 parenthesis > [17:01:51] [WARNING] GET parameter 'page' is not injectable > > [*] shutting down at: 17:01:51 > > I've used this page with an interception proxy and these three POST values > are the only ones that are sent. > > Does anyone have any idea where I'm going wrong with sqlmap with regards to > using it with vulnerable POST values? I've managed to enumerate databases > with vulnerable ?id=x type GET parameters but not this. > > Thanks in advance! > > Chris > > > ------------------------------------------------------------------------------ > Learn how Oracle Real Application Clusters (RAC) One Node allows customers > to consolidate database storage, standardize their database environment, > and, > should the need arise, upgrade to a full multi-node Oracle RAC database > without downtime or disruption > http://p.sf.net/sfu/oracle-sfdevnl > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > > -- Miroslav Stampar E-mail / Jabber: miroslav.stampar (at) gmail.com Mobile: +385921010204 (HR 0921010204) PGP Key ID: 0xB5397B1B Location: Zagreb, Croatia |
