Re: [sqlmap-users] Problem with using Webscarab conversations
Brought to you by:
inquisb
Menu
▾
▴
Re: [sqlmap-users] Problem with using Webscarab conversations
|
From: Antonios A. <ant...@gm...> - 2011-01-19 20:28:22
|
Hi Miroslav and thanks for your answer, I did reproduce the results a couple of times and you can easily do so. My target is the ctf6 lampsec security (you can downloaded from http://sourceforge.net/projects/lampsecurity/). After a very fast browsing, I crawled the rest of the site using Webscarab. I run the command sqlmap --batch -v 2 -l ../webscarab-logs/conversations/ sqlmap failed to find any sqli. Then I run sqlmap -u http://192.168.163.128/index.php?id=4 (one of the vulnerable urls) and it does find the sqli vulnerability. please let me know if you want me to send you any logs. Regards Antonios 2011/1/18 Miroslav Stampar <mir...@gm...> > Hi Antonios. > > main question is: are you able to reproduce this kind of behavior again? > > if yes, then sqlmap really has some "bug" and it would be great if you > could (maybe privately) provide is with further details from used > logs. > > if no, thing that comes to my mind and that can screw things up is > "dynamicity". we've worked hard to make a good comparison/detection > engine together with dynamicity removal, but still, pages with lots of > garbaged styles/tags/scripts... can screw things up, especially when > only a small part of the page is affected by injection itself. hence > there are switches like --string and --text-only (removes all > tags/scripts/styles and retrieves only pure text) that can do miracles > in those kind of cases. > > KR > > On Tue, Jan 18, 2011 at 10:04 PM, Antonios Atlasis > <ant...@gm...> wrote: > > > > Hello to the list, > > > > after spidering a site that is vulnerable to SQLi with Webscarab, I fed > its > > conversations directory to sqlmap using the -l option. > > sqlmap didn't find any SQLi vulnerable. > > > > Then, I fed a vulnerable URL to sqlmap with the -u option (which URL was > > also included in the webscarab conversations and it had also been tested > > before with sqlmap), and sqlmap did found this time the specific SQLi > > vulnerability. > > > > Has anyone else observed a problem using Webscarab conversations? Is > there > > any tip or trick that I can use in order to solve this problem? > > > > Thanks in advance > > > > Antonios > > > > > ------------------------------------------------------------------------------ > > Protect Your Site and Customers from Malware Attacks > > Learn about various malware tactics and how to avoid them. Understand > > malware threats, the impact they can have on your business, and how you > > can protect your company and customers by using code signing. > > http://p.sf.net/sfu/oracle-sfdevnl > > _______________________________________________ > > sqlmap-users mailing list > > sql...@li... > > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > > > > > > > > -- > Miroslav Stampar > > E-mail / Jabber: miroslav.stampar (at) gmail.com > Mobile: +385921010204 (HR 0921010204) > PGP Key ID: 0xB5397B1B > Location: Zagreb, Croatia > |
