[sqlmap-users] not finding injections where I'm quite sure there are
Brought to you by:
inquisb
Menu
▾
▴
[sqlmap-users] not finding injections where I'm quite sure there are
|
From: ryan c. <rya...@gm...> - 2012-01-06 16:52:22
|
I'm testing this cornerstone cms vuln http://www.exploit-db.com/exploits/18319/ when i load this url (http://192.168.1.101/default.asp?id=2%27) manually in my browser I get Microsoft JET Database Engine error '80040e14' Syntax error in string in query expression 'Id=2''. sqlmap doesn't find anything: [11:48:01] [INFO] testing connection to the target url [11:48:02] [INFO] testing if the url is stable, wait a few seconds [11:48:04] [INFO] url is stable [11:48:04] [INFO] testing if GET parameter 'id' is dynamic [11:48:04] [INFO] heuristics detected web page charset 'ascii' [11:48:05] [INFO] confirming that GET parameter 'id' is dynamic [11:48:05] [INFO] GET parameter 'id' is dynamic [11:48:06] [INFO] heuristic test shows that GET parameter 'id' might be injectable (possible DBMS: Microsoft Access) [11:48:06] [INFO] testing sql injection on GET parameter 'id' [11:48:06] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause' parsed error message(s) showed that the back-end DBMS could be Microsoft Access. Do you want to skip test payloads specific for other DBMSes? [Y/n] [11:48:11] [INFO] testing 'Generic UNION query (NULL) - 1 to 10 columns' [11:48:28] [WARNING] GET parameter 'id' is not injectable [11:48:28] [CRITICAL] all parameters appear to be not injectable. Try to increase --level/--risk values to perform more tests. Rerun by providing either a valid --string or a valid --regexp, refer to the user's manual for details [11:48:28] [WARNING] HTTP error codes detected during testing: 500 (Internal Server Error) - 47 times [*] shutting down at: 11:48:28 |
