Re: [sqlmap-users] Using sqlmap with POST values
Brought to you by:
inquisb
Menu
▾
▴
Re: [sqlmap-users] Using sqlmap with POST values
|
From: Chris O. <chr...@gm...> - 2011-01-06 10:00:33
|
Hi Miroslav The dev version is even better, 0.9 is looking really promising. I used higher risk and level settings and it worked absolutely perfectly; found every sql injection point I knew existed on the page! Many thanks Chris On 6 January 2011 09:26, Chris Oakley <chr...@gm...> wrote: > Hi Miroslav > > I'll grab the svn version and take a look at those other options today and > report back. Many thanks for the assistance. > > Chris > > > On 6 January 2011 08:10, Miroslav Stampar <mir...@gm...>wrote: > >> ...also, try to use higher --level and --risk for this kind of situations >> (login pages) >> >> kr >> >> >> On Thu, Jan 6, 2011 at 9:06 AM, Miroslav Stampar < >> mir...@gm...> wrote: >> >>> hi Chris. >>> >>> have you tried with the latest development version from our SVN >>> repository? >>> >>> kr >>> >>> On Wed, Jan 5, 2011 at 6:22 PM, Chris Oakley < >>> chr...@gm...> wrote: >>> >>>> Hi all >>>> >>>> I'm playing with sqlmap and it seems to be working quite well for GET >>>> based parameters. However, for POST I'm not sure if it's working. To test >>>> sqlmap out, I've downloaded and installed Mutillidae ( >>>> http://www.irongeek.com/i.php?page=security/mutillidae-deliberately-vulnerable-php-owasp-top-10) >>>> and have been looking at the login page. I know that the password field is >>>> vulnerable to SQL injection, and have entered the following command to >>>> sqlmap: >>>> >>>> sqlmap -u "http://localhost/mutillidae/index.php?page=login.php" >>>> --method "POST" -- >>>> data "user_name=foo&password=bar&Submit_button=Submit" --current-user >>>> --is-dba --flush-session >>>> >>>> This results in the following output: >>>> >>>> sqlmap/0.8 - automatic SQL injection and database takeover tool >>>> http://sqlmap.sourceforge.net >>>> >>>> [*] starting at: 17:01:17 >>>> >>>> [17:01:17] [INFO] using 'C:\Program >>>> Files\sqlmap-0.8_exe\output\localhost\session' as session file >>>> [17:01:17] [INFO] flushing session file >>>> [17:01:17] [INFO] testing connection to the target url >>>> [17:01:18] [INFO] testing if the url is stable, wait a few seconds >>>> [17:01:21] [INFO] url is stable >>>> [17:01:21] [INFO] testing if POST parameter 'password' is dynamic >>>> [17:01:22] [WARNING] POST parameter 'password' is not dynamic >>>> [17:01:22] [INFO] testing if POST parameter 'user_name' is dynamic >>>> [17:01:23] [WARNING] POST parameter 'user_name' is not dynamic >>>> [17:01:24] [INFO] testing if POST parameter 'Submit_button' is dynamic >>>> [17:01:25] [WARNING] POST parameter 'Submit_button' is not dynamic >>>> [17:01:25] [INFO] testing if User-Agent parameter 'User-Agent' is >>>> dynamic >>>> [17:01:26] [WARNING] User-Agent parameter 'User-Agent' is not dynamic >>>> [17:01:26] [INFO] testing if GET parameter 'page' is dynamic >>>> [17:01:27] [INFO] confirming that GET parameter 'page' is dynamic >>>> [17:01:29] [INFO] GET parameter 'page' is dynamic >>>> [17:01:29] [INFO] testing sql injection on GET parameter 'page' with 0 >>>> parenthesis >>>> [17:01:29] [INFO] testing unescaped numeric injection on GET parameter >>>> 'page' >>>> [17:01:30] [INFO] GET parameter 'page' is not unescaped numeric >>>> injectable >>>> [17:01:30] [INFO] testing single quoted string injection on GET >>>> parameter 'page' >>>> [17:01:31] [INFO] GET parameter 'page' is not single quoted string >>>> injectable >>>> [17:01:31] [INFO] testing LIKE single quoted string injection on GET >>>> parameter 'page' >>>> [17:01:32] [INFO] GET parameter 'page' is not LIKE single quoted string >>>> injectable >>>> [17:01:32] [INFO] testing double quoted string injection on GET >>>> parameter 'page' >>>> [17:01:34] [INFO] GET parameter 'page' is not double quoted string >>>> injectable >>>> [17:01:34] [INFO] testing LIKE double quoted string injection on GET >>>> parameter 'page' >>>> [17:01:35] [INFO] GET parameter 'page' is not LIKE double quoted string >>>> injectable >>>> [17:01:35] [INFO] GET parameter 'page' is not injectable with 0 >>>> parenthesis >>>> [17:01:35] [INFO] testing sql injection on GET parameter 'page' with 1 >>>> parenthesis >>>> [17:01:35] [INFO] testing unescaped numeric injection on GET parameter >>>> 'page' >>>> [17:01:36] [INFO] GET parameter 'page' is not unescaped numeric >>>> injectable >>>> [17:01:36] [INFO] testing single quoted string injection on GET >>>> parameter 'page' >>>> [17:01:37] [INFO] GET parameter 'page' is not single quoted string >>>> injectable >>>> [17:01:37] [INFO] testing LIKE single quoted string injection on GET >>>> parameter 'page' >>>> [17:01:38] [INFO] GET parameter 'page' is not LIKE single quoted string >>>> injectable >>>> [17:01:38] [INFO] testing double quoted string injection on GET >>>> parameter 'page' >>>> [17:01:39] [INFO] GET parameter 'page' is not double quoted string >>>> injectable >>>> [17:01:39] [INFO] testing LIKE double quoted string injection on GET >>>> parameter 'page' >>>> [17:01:40] [INFO] GET parameter 'page' is not LIKE double quoted string >>>> injectable >>>> [17:01:40] [INFO] GET parameter 'page' is not injectable with 1 >>>> parenthesis >>>> [17:01:40] [INFO] testing sql injection on GET parameter 'page' with 2 >>>> parenthesis >>>> [17:01:40] [INFO] testing unescaped numeric injection on GET parameter >>>> 'page' >>>> [17:01:41] [INFO] GET parameter 'page' is not unescaped numeric >>>> injectable >>>> [17:01:41] [INFO] testing single quoted string injection on GET >>>> parameter 'page' >>>> [17:01:42] [INFO] GET parameter 'page' is not single quoted string >>>> injectable >>>> [17:01:42] [INFO] testing LIKE single quoted string injection on GET >>>> parameter 'page' >>>> [17:01:43] [INFO] GET parameter 'page' is not LIKE single quoted string >>>> injectable >>>> [17:01:43] [INFO] testing double quoted string injection on GET >>>> parameter 'page' >>>> [17:01:44] [INFO] GET parameter 'page' is not double quoted string >>>> injectable >>>> [17:01:44] [INFO] testing LIKE double quoted string injection on GET >>>> parameter 'page' >>>> [17:01:45] [INFO] GET parameter 'page' is not LIKE double quoted string >>>> injectable >>>> [17:01:45] [INFO] GET parameter 'page' is not injectable with 2 >>>> parenthesis >>>> [17:01:45] [INFO] testing sql injection on GET parameter 'page' with 3 >>>> parenthesis >>>> [17:01:45] [INFO] testing unescaped numeric injection on GET parameter >>>> 'page' >>>> [17:01:46] [INFO] GET parameter 'page' is not unescaped numeric >>>> injectable >>>> [17:01:46] [INFO] testing single quoted string injection on GET >>>> parameter 'page' >>>> [17:01:47] [INFO] GET parameter 'page' is not single quoted string >>>> injectable >>>> [17:01:47] [INFO] testing LIKE single quoted string injection on GET >>>> parameter 'page' >>>> [17:01:49] [INFO] GET parameter 'page' is not LIKE single quoted string >>>> injectable >>>> [17:01:49] [INFO] testing double quoted string injection on GET >>>> parameter 'page' >>>> [17:01:50] [INFO] GET parameter 'page' is not double quoted string >>>> injectable >>>> [17:01:50] [INFO] testing LIKE double quoted string injection on GET >>>> parameter 'page' >>>> [17:01:51] [INFO] GET parameter 'page' is not LIKE double quoted string >>>> injectable >>>> [17:01:51] [INFO] GET parameter 'page' is not injectable with 3 >>>> parenthesis >>>> [17:01:51] [WARNING] GET parameter 'page' is not injectable >>>> >>>> [*] shutting down at: 17:01:51 >>>> >>>> I've used this page with an interception proxy and these three POST >>>> values are the only ones that are sent. >>>> >>>> Does anyone have any idea where I'm going wrong with sqlmap with regards >>>> to using it with vulnerable POST values? I've managed to enumerate >>>> databases with vulnerable ?id=x type GET parameters but not this. >>>> >>>> Thanks in advance! >>>> >>>> Chris >>>> >>>> >>>> ------------------------------------------------------------------------------ >>>> Learn how Oracle Real Application Clusters (RAC) One Node allows >>>> customers >>>> to consolidate database storage, standardize their database environment, >>>> and, >>>> should the need arise, upgrade to a full multi-node Oracle RAC database >>>> without downtime or disruption >>>> http://p.sf.net/sfu/oracle-sfdevnl >>>> _______________________________________________ >>>> sqlmap-users mailing list >>>> sql...@li... >>>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >>>> >>>> >>> >>> >>> -- >>> Miroslav Stampar >>> >>> E-mail / Jabber: miroslav.stampar (at) gmail.com >>> Mobile: +385921010204 (HR 0921010204) >>> PGP Key ID: 0xB5397B1B >>> Location: Zagreb, Croatia >>> >> >> >> >> -- >> Miroslav Stampar >> >> E-mail / Jabber: miroslav.stampar (at) gmail.com >> Mobile: +385921010204 (HR 0921010204) >> PGP Key ID: 0xB5397B1B >> Location: Zagreb, Croatia >> > > |
