Re: [sqlmap-users] stunned
Brought to you by:
inquisb
Menu
▾
▴
Re: [sqlmap-users] stunned
|
From: Miroslav S. <mir...@gm...> - 2011-02-08 21:54:43
|
have you tried different levels (--level)? have you tried different risks (--risk)? in plainspeak: higher level = more techniques higher risk = more prefix/postfix combinations kr On Tue, Feb 8, 2011 at 10:50 PM, ciccio panzino <cic...@gm...> wrote: > Hi, I've tested manually several sites which give me typical ODBC > MS-SQL syntax error with simple tick inserted in the POST login > parameters. Again when I perform different payloads like "union select > blabla" the error message change and show me I'm interact effectively > with the db. > BUT if I perform a simple test with sqlmap -u www.foo.bar/login.asp > --method=post --data=par1=val1&par2=val2 -p par1 it say me par1 is not > injectable (while manually it is). Why sqlmap doesn't see the vuln? > Where I wrong? > Again if in the data option i put a normal value for par1 (like asdf), > sqlmap say me "the parameter par 1 is not dynamic" and shutdown, while > if I put directly a tick after asdf value in the data option, sqlmap > see it like "dynamic" and start the tests (with "not injectable" > response at the end) > help plz > thks > mariuolo > > ------------------------------------------------------------------------------ > The ultimate all-in-one performance toolkit: Intel(R) Parallel Studio XE: > Pinpoint memory and threading errors before they happen. > Find and fix more than 250 security defects in the development cycle. > Locate bottlenecks in serial and parallel code that limit performance. > http://p.sf.net/sfu/intel-dev2devfeb > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > -- Miroslav Stampar E-mail: miroslav.stampar (at) gmail.com Alternate: miroslav.stampar (at) mail.ru PGP Key ID: 0xB5397B1B Location: Zagreb, Croatia |
