Re: [sqlmap-users] Using sqlmap with POST values
Brought to you by:
inquisb
Menu
▾
▴
Re: [sqlmap-users] Using sqlmap with POST values
|
From: Miroslav S. <mir...@gm...> - 2011-01-06 10:03:43
|
thx :) Bernardo and I worked really hard on this one and hope that 0.9 final will be the best version till now. kr On Thu, Jan 6, 2011 at 11:00 AM, Chris Oakley <chr...@gm...>wrote: > Hi Miroslav > > The dev version is even better, 0.9 is looking really promising. I used > higher risk and level settings and it worked absolutely perfectly; found > every sql injection point I knew existed on the page! > > Many thanks > > Chris > > > On 6 January 2011 09:26, Chris Oakley <chr...@gm...>wrote: > >> Hi Miroslav >> >> I'll grab the svn version and take a look at those other options today and >> report back. Many thanks for the assistance. >> >> Chris >> >> >> On 6 January 2011 08:10, Miroslav Stampar <mir...@gm...>wrote: >> >>> ...also, try to use higher --level and --risk for this kind of situations >>> (login pages) >>> >>> kr >>> >>> >>> On Thu, Jan 6, 2011 at 9:06 AM, Miroslav Stampar < >>> mir...@gm...> wrote: >>> >>>> hi Chris. >>>> >>>> have you tried with the latest development version from our SVN >>>> repository? >>>> >>>> kr >>>> >>>> On Wed, Jan 5, 2011 at 6:22 PM, Chris Oakley < >>>> chr...@gm...> wrote: >>>> >>>>> Hi all >>>>> >>>>> I'm playing with sqlmap and it seems to be working quite well for GET >>>>> based parameters. However, for POST I'm not sure if it's working. To test >>>>> sqlmap out, I've downloaded and installed Mutillidae ( >>>>> http://www.irongeek.com/i.php?page=security/mutillidae-deliberately-vulnerable-php-owasp-top-10) >>>>> and have been looking at the login page. I know that the password field is >>>>> vulnerable to SQL injection, and have entered the following command to >>>>> sqlmap: >>>>> >>>>> sqlmap -u "http://localhost/mutillidae/index.php?page=login.php" >>>>> --method "POST" -- >>>>> data "user_name=foo&password=bar&Submit_button=Submit" --current-user >>>>> --is-dba --flush-session >>>>> >>>>> This results in the following output: >>>>> >>>>> sqlmap/0.8 - automatic SQL injection and database takeover tool >>>>> http://sqlmap.sourceforge.net >>>>> >>>>> [*] starting at: 17:01:17 >>>>> >>>>> [17:01:17] [INFO] using 'C:\Program >>>>> Files\sqlmap-0.8_exe\output\localhost\session' as session file >>>>> [17:01:17] [INFO] flushing session file >>>>> [17:01:17] [INFO] testing connection to the target url >>>>> [17:01:18] [INFO] testing if the url is stable, wait a few seconds >>>>> [17:01:21] [INFO] url is stable >>>>> [17:01:21] [INFO] testing if POST parameter 'password' is dynamic >>>>> [17:01:22] [WARNING] POST parameter 'password' is not dynamic >>>>> [17:01:22] [INFO] testing if POST parameter 'user_name' is dynamic >>>>> [17:01:23] [WARNING] POST parameter 'user_name' is not dynamic >>>>> [17:01:24] [INFO] testing if POST parameter 'Submit_button' is dynamic >>>>> [17:01:25] [WARNING] POST parameter 'Submit_button' is not dynamic >>>>> [17:01:25] [INFO] testing if User-Agent parameter 'User-Agent' is >>>>> dynamic >>>>> [17:01:26] [WARNING] User-Agent parameter 'User-Agent' is not dynamic >>>>> [17:01:26] [INFO] testing if GET parameter 'page' is dynamic >>>>> [17:01:27] [INFO] confirming that GET parameter 'page' is dynamic >>>>> [17:01:29] [INFO] GET parameter 'page' is dynamic >>>>> [17:01:29] [INFO] testing sql injection on GET parameter 'page' with 0 >>>>> parenthesis >>>>> [17:01:29] [INFO] testing unescaped numeric injection on GET parameter >>>>> 'page' >>>>> [17:01:30] [INFO] GET parameter 'page' is not unescaped numeric >>>>> injectable >>>>> [17:01:30] [INFO] testing single quoted string injection on GET >>>>> parameter 'page' >>>>> [17:01:31] [INFO] GET parameter 'page' is not single quoted string >>>>> injectable >>>>> [17:01:31] [INFO] testing LIKE single quoted string injection on GET >>>>> parameter 'page' >>>>> [17:01:32] [INFO] GET parameter 'page' is not LIKE single quoted string >>>>> injectable >>>>> [17:01:32] [INFO] testing double quoted string injection on GET >>>>> parameter 'page' >>>>> [17:01:34] [INFO] GET parameter 'page' is not double quoted string >>>>> injectable >>>>> [17:01:34] [INFO] testing LIKE double quoted string injection on GET >>>>> parameter 'page' >>>>> [17:01:35] [INFO] GET parameter 'page' is not LIKE double quoted string >>>>> injectable >>>>> [17:01:35] [INFO] GET parameter 'page' is not injectable with 0 >>>>> parenthesis >>>>> [17:01:35] [INFO] testing sql injection on GET parameter 'page' with 1 >>>>> parenthesis >>>>> [17:01:35] [INFO] testing unescaped numeric injection on GET parameter >>>>> 'page' >>>>> [17:01:36] [INFO] GET parameter 'page' is not unescaped numeric >>>>> injectable >>>>> [17:01:36] [INFO] testing single quoted string injection on GET >>>>> parameter 'page' >>>>> [17:01:37] [INFO] GET parameter 'page' is not single quoted string >>>>> injectable >>>>> [17:01:37] [INFO] testing LIKE single quoted string injection on GET >>>>> parameter 'page' >>>>> [17:01:38] [INFO] GET parameter 'page' is not LIKE single quoted string >>>>> injectable >>>>> [17:01:38] [INFO] testing double quoted string injection on GET >>>>> parameter 'page' >>>>> [17:01:39] [INFO] GET parameter 'page' is not double quoted string >>>>> injectable >>>>> [17:01:39] [INFO] testing LIKE double quoted string injection on GET >>>>> parameter 'page' >>>>> [17:01:40] [INFO] GET parameter 'page' is not LIKE double quoted string >>>>> injectable >>>>> [17:01:40] [INFO] GET parameter 'page' is not injectable with 1 >>>>> parenthesis >>>>> [17:01:40] [INFO] testing sql injection on GET parameter 'page' with 2 >>>>> parenthesis >>>>> [17:01:40] [INFO] testing unescaped numeric injection on GET parameter >>>>> 'page' >>>>> [17:01:41] [INFO] GET parameter 'page' is not unescaped numeric >>>>> injectable >>>>> [17:01:41] [INFO] testing single quoted string injection on GET >>>>> parameter 'page' >>>>> [17:01:42] [INFO] GET parameter 'page' is not single quoted string >>>>> injectable >>>>> [17:01:42] [INFO] testing LIKE single quoted string injection on GET >>>>> parameter 'page' >>>>> [17:01:43] [INFO] GET parameter 'page' is not LIKE single quoted string >>>>> injectable >>>>> [17:01:43] [INFO] testing double quoted string injection on GET >>>>> parameter 'page' >>>>> [17:01:44] [INFO] GET parameter 'page' is not double quoted string >>>>> injectable >>>>> [17:01:44] [INFO] testing LIKE double quoted string injection on GET >>>>> parameter 'page' >>>>> [17:01:45] [INFO] GET parameter 'page' is not LIKE double quoted string >>>>> injectable >>>>> [17:01:45] [INFO] GET parameter 'page' is not injectable with 2 >>>>> parenthesis >>>>> [17:01:45] [INFO] testing sql injection on GET parameter 'page' with 3 >>>>> parenthesis >>>>> [17:01:45] [INFO] testing unescaped numeric injection on GET parameter >>>>> 'page' >>>>> [17:01:46] [INFO] GET parameter 'page' is not unescaped numeric >>>>> injectable >>>>> [17:01:46] [INFO] testing single quoted string injection on GET >>>>> parameter 'page' >>>>> [17:01:47] [INFO] GET parameter 'page' is not single quoted string >>>>> injectable >>>>> [17:01:47] [INFO] testing LIKE single quoted string injection on GET >>>>> parameter 'page' >>>>> [17:01:49] [INFO] GET parameter 'page' is not LIKE single quoted string >>>>> injectable >>>>> [17:01:49] [INFO] testing double quoted string injection on GET >>>>> parameter 'page' >>>>> [17:01:50] [INFO] GET parameter 'page' is not double quoted string >>>>> injectable >>>>> [17:01:50] [INFO] testing LIKE double quoted string injection on GET >>>>> parameter 'page' >>>>> [17:01:51] [INFO] GET parameter 'page' is not LIKE double quoted string >>>>> injectable >>>>> [17:01:51] [INFO] GET parameter 'page' is not injectable with 3 >>>>> parenthesis >>>>> [17:01:51] [WARNING] GET parameter 'page' is not injectable >>>>> >>>>> [*] shutting down at: 17:01:51 >>>>> >>>>> I've used this page with an interception proxy and these three POST >>>>> values are the only ones that are sent. >>>>> >>>>> Does anyone have any idea where I'm going wrong with sqlmap with >>>>> regards to using it with vulnerable POST values? I've managed to enumerate >>>>> databases with vulnerable ?id=x type GET parameters but not this. >>>>> >>>>> Thanks in advance! >>>>> >>>>> Chris >>>>> >>>>> >>>>> ------------------------------------------------------------------------------ >>>>> Learn how Oracle Real Application Clusters (RAC) One Node allows >>>>> customers >>>>> to consolidate database storage, standardize their database >>>>> environment, and, >>>>> should the need arise, upgrade to a full multi-node Oracle RAC database >>>>> without downtime or disruption >>>>> http://p.sf.net/sfu/oracle-sfdevnl >>>>> _______________________________________________ >>>>> sqlmap-users mailing list >>>>> sql...@li... >>>>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >>>>> >>>>> >>>> >>>> >>>> -- >>>> Miroslav Stampar >>>> >>>> E-mail / Jabber: miroslav.stampar (at) gmail.com >>>> Mobile: +385921010204 (HR 0921010204) >>>> PGP Key ID: 0xB5397B1B >>>> Location: Zagreb, Croatia >>>> >>> >>> >>> >>> -- >>> Miroslav Stampar >>> >>> E-mail / Jabber: miroslav.stampar (at) gmail.com >>> Mobile: +385921010204 (HR 0921010204) >>> PGP Key ID: 0xB5397B1B >>> Location: Zagreb, Croatia >>> >> >> > -- Miroslav Stampar E-mail / Jabber: miroslav.stampar (at) gmail.com Mobile: +385921010204 (HR 0921010204) PGP Key ID: 0xB5397B1B Location: Zagreb, Croatia |
