Re: [sqlmap-users] URL injection - mysql-fetch-array

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

Hi Borja.

The error itself doesn't prove anything.

You'll have to either:
1) find a valid injection manually and report back so we could fix the
sqlmap (if needed)
or
2) send us a traffic file which you can get with -t traffic.txt

Kind regards,
Miroslav Stampar

On Thu, Jan 5, 2012 at 4:52 PM, Borja Berastegui
<bor...@gm...>wrote:

> Hi !
>
> Is my first mail to this list, as I'm an active user of the software I had
> to start mailing here someday so... here is my question:
>
> I've found a MySQL error on a website (by a modification in the URL) that
> throws me this:
>
> Warning: mysql_fetch_array(): supplied argument is not a valid MySQL
> result resource in /home/virtual/thewebsite.com/web/news/index.php on
> line 11
>
> The syntax of the url is '' http://www.thewebsite.com/news/today/*/'' and
> in the normal state of the URL there is a number (of the news page shown)
> where I have writen the *.
>
> If I write anything that is not a number it returns me the error.
>
> Im having to problems here:
>
> First one is that I'm not sure if im doing right the URI inyection with
> sqlmap because i've found 3 URI inyections in diferent places but without
> success. (Im using the * to show the tool where to test)
>
> And the other one is that I'm not really sure if that error shows a really
> exploitable flaw.
>
> Sqlmap, by using the * wildcard, throws some possible UNION exploitable
> points, but are discarded when finished the tests. I have tried also with
> --union-char switch with different characters.
>
> Sorry for all this text, hope you could help me a bit :S
>
> Thanks !
>
>
> ------------------------------------------------------------------------------
> Ridiculously easy VDI. With Citrix VDI-in-a-Box, you don't need a complex
> infrastructure or vast IT resources to deliver seamless, secure access to
> virtual desktops. With this all-in-one solution, easily deploy virtual
> desktops for less than the cost of PCs and save 60% on VDI infrastructure
> costs. Try it free! http://p.sf.net/sfu/Citrix-VDIinabox
> _______________________________________________
> sqlmap-users mailing list
> sql...@li...
> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>
>

-- 
Miroslav Stampar
http://about.me/stamparm