Re: [sqlmap-users] Using sqlmap with POST values

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

...also, try to use higher --level and --risk for this kind of situations
(login pages)

kr

On Thu, Jan 6, 2011 at 9:06 AM, Miroslav Stampar <mir...@gm...
> wrote:

> hi Chris.
>
> have you tried with the latest development version from our SVN repository?
>
> kr
>
> On Wed, Jan 5, 2011 at 6:22 PM, Chris Oakley <chr...@gm...
> > wrote:
>
>> Hi all
>>
>> I'm playing with sqlmap and it seems to be working quite well for GET
>> based parameters.  However, for POST I'm not sure if it's working.  To test
>> sqlmap out, I've downloaded and installed Mutillidae (
>> http://www.irongeek.com/i.php?page=security/mutillidae-deliberately-vulnerable-php-owasp-top-10)
>> and have been looking at the login page.  I know that the password field is
>> vulnerable to SQL injection, and have entered the following command to
>> sqlmap:
>>
>> sqlmap -u "http://localhost/mutillidae/index.php?page=login.php" --method
>> "POST" --
>> data "user_name=foo&password=bar&Submit_button=Submit" --current-user
>> --is-dba --flush-session
>>
>> This results in the following output:
>>
>>     sqlmap/0.8 - automatic SQL injection and database takeover tool
>>     http://sqlmap.sourceforge.net
>>
>> [*] starting at: 17:01:17
>>
>> [17:01:17] [INFO] using 'C:\Program
>> Files\sqlmap-0.8_exe\output\localhost\session' as session file
>> [17:01:17] [INFO] flushing session file
>> [17:01:17] [INFO] testing connection to the target url
>> [17:01:18] [INFO] testing if the url is stable, wait a few seconds
>> [17:01:21] [INFO] url is stable
>> [17:01:21] [INFO] testing if POST parameter 'password' is dynamic
>> [17:01:22] [WARNING] POST parameter 'password' is not dynamic
>> [17:01:22] [INFO] testing if POST parameter 'user_name' is dynamic
>> [17:01:23] [WARNING] POST parameter 'user_name' is not dynamic
>> [17:01:24] [INFO] testing if POST parameter 'Submit_button' is dynamic
>> [17:01:25] [WARNING] POST parameter 'Submit_button' is not dynamic
>> [17:01:25] [INFO] testing if User-Agent parameter 'User-Agent' is dynamic
>> [17:01:26] [WARNING] User-Agent parameter 'User-Agent' is not dynamic
>> [17:01:26] [INFO] testing if GET parameter 'page' is dynamic
>> [17:01:27] [INFO] confirming that GET parameter 'page' is dynamic
>> [17:01:29] [INFO] GET parameter 'page' is dynamic
>> [17:01:29] [INFO] testing sql injection on GET parameter 'page' with 0
>> parenthesis
>> [17:01:29] [INFO] testing unescaped numeric injection on GET parameter
>> 'page'
>> [17:01:30] [INFO] GET parameter 'page' is not unescaped numeric injectable
>> [17:01:30] [INFO] testing single quoted string injection on GET parameter
>> 'page'
>> [17:01:31] [INFO] GET parameter 'page' is not single quoted string
>> injectable
>> [17:01:31] [INFO] testing LIKE single quoted string injection on GET
>> parameter 'page'
>> [17:01:32] [INFO] GET parameter 'page' is not LIKE single quoted string
>> injectable
>> [17:01:32] [INFO] testing double quoted string injection on GET parameter
>> 'page'
>> [17:01:34] [INFO] GET parameter 'page' is not double quoted string
>> injectable
>> [17:01:34] [INFO] testing LIKE double quoted string injection on GET
>> parameter 'page'
>> [17:01:35] [INFO] GET parameter 'page' is not LIKE double quoted string
>> injectable
>> [17:01:35] [INFO] GET parameter 'page' is not injectable with 0
>> parenthesis
>> [17:01:35] [INFO] testing sql injection on GET parameter 'page' with 1
>> parenthesis
>> [17:01:35] [INFO] testing unescaped numeric injection on GET parameter
>> 'page'
>> [17:01:36] [INFO] GET parameter 'page' is not unescaped numeric injectable
>> [17:01:36] [INFO] testing single quoted string injection on GET parameter
>> 'page'
>> [17:01:37] [INFO] GET parameter 'page' is not single quoted string
>> injectable
>> [17:01:37] [INFO] testing LIKE single quoted string injection on GET
>> parameter 'page'
>> [17:01:38] [INFO] GET parameter 'page' is not LIKE single quoted string
>> injectable
>> [17:01:38] [INFO] testing double quoted string injection on GET parameter
>> 'page'
>> [17:01:39] [INFO] GET parameter 'page' is not double quoted string
>> injectable
>> [17:01:39] [INFO] testing LIKE double quoted string injection on GET
>> parameter 'page'
>> [17:01:40] [INFO] GET parameter 'page' is not LIKE double quoted string
>> injectable
>> [17:01:40] [INFO] GET parameter 'page' is not injectable with 1
>> parenthesis
>> [17:01:40] [INFO] testing sql injection on GET parameter 'page' with 2
>> parenthesis
>> [17:01:40] [INFO] testing unescaped numeric injection on GET parameter
>> 'page'
>> [17:01:41] [INFO] GET parameter 'page' is not unescaped numeric injectable
>> [17:01:41] [INFO] testing single quoted string injection on GET parameter
>> 'page'
>> [17:01:42] [INFO] GET parameter 'page' is not single quoted string
>> injectable
>> [17:01:42] [INFO] testing LIKE single quoted string injection on GET
>> parameter 'page'
>> [17:01:43] [INFO] GET parameter 'page' is not LIKE single quoted string
>> injectable
>> [17:01:43] [INFO] testing double quoted string injection on GET parameter
>> 'page'
>> [17:01:44] [INFO] GET parameter 'page' is not double quoted string
>> injectable
>> [17:01:44] [INFO] testing LIKE double quoted string injection on GET
>> parameter 'page'
>> [17:01:45] [INFO] GET parameter 'page' is not LIKE double quoted string
>> injectable
>> [17:01:45] [INFO] GET parameter 'page' is not injectable with 2
>> parenthesis
>> [17:01:45] [INFO] testing sql injection on GET parameter 'page' with 3
>> parenthesis
>> [17:01:45] [INFO] testing unescaped numeric injection on GET parameter
>> 'page'
>> [17:01:46] [INFO] GET parameter 'page' is not unescaped numeric injectable
>> [17:01:46] [INFO] testing single quoted string injection on GET parameter
>> 'page'
>> [17:01:47] [INFO] GET parameter 'page' is not single quoted string
>> injectable
>> [17:01:47] [INFO] testing LIKE single quoted string injection on GET
>> parameter 'page'
>> [17:01:49] [INFO] GET parameter 'page' is not LIKE single quoted string
>> injectable
>> [17:01:49] [INFO] testing double quoted string injection on GET parameter
>> 'page'
>> [17:01:50] [INFO] GET parameter 'page' is not double quoted string
>> injectable
>> [17:01:50] [INFO] testing LIKE double quoted string injection on GET
>> parameter 'page'
>> [17:01:51] [INFO] GET parameter 'page' is not LIKE double quoted string
>> injectable
>> [17:01:51] [INFO] GET parameter 'page' is not injectable with 3
>> parenthesis
>> [17:01:51] [WARNING] GET parameter 'page' is not injectable
>>
>> [*] shutting down at: 17:01:51
>>
>> I've used this page with an interception proxy and these three POST values
>> are the only ones that are sent.
>>
>> Does anyone have any idea where I'm going wrong with sqlmap with regards
>> to using it with vulnerable POST values?  I've managed to enumerate
>> databases with vulnerable ?id=x type GET parameters but not this.
>>
>> Thanks in advance!
>>
>> Chris
>>
>>
>> ------------------------------------------------------------------------------
>> Learn how Oracle Real Application Clusters (RAC) One Node allows customers
>> to consolidate database storage, standardize their database environment,
>> and,
>> should the need arise, upgrade to a full multi-node Oracle RAC database
>> without downtime or disruption
>> http://p.sf.net/sfu/oracle-sfdevnl
>> _______________________________________________
>> sqlmap-users mailing list
>> sql...@li...
>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>>
>>
>
>
> --
> Miroslav Stampar
>
> E-mail / Jabber: miroslav.stampar (at) gmail.com
> Mobile: +385921010204 (HR 0921010204)
> PGP Key ID: 0xB5397B1B
> Location: Zagreb, Croatia
>


-- 
Miroslav Stampar

E-mail / Jabber: miroslav.stampar (at) gmail.com
Mobile: +385921010204 (HR 0921010204)
PGP Key ID: 0xB5397B1B
Location: Zagreb, Croatia