Re: [sqlmap-users] not finding injections where I'm quite sure there are
Brought to you by:
inquisb
Menu
▾
▴
Re: [sqlmap-users] not finding injections where I'm quite sure there are
|
From: Miroslav S. <mir...@gm...> - 2012-01-07 15:36:35
|
Hi Ryan. You are advised to use auxiliary switches in this kind of cases: --string or --text-only could help you here Kind regards, Miroslav Stampar On Fri, Jan 6, 2012 at 5:52 PM, ryan cartner <rya...@gm...> wrote: > I'm testing this cornerstone cms vuln > > http://www.exploit-db.com/exploits/18319/ > > when i load this url (http://192.168.1.101/default.asp?id=2%27) manually > in my browser I get > > Microsoft JET Database Engine error '80040e14' > > Syntax error in string in query expression 'Id=2''. > sqlmap doesn't find anything: > > [11:48:01] [INFO] testing connection to the target url > [11:48:02] [INFO] testing if the url is stable, wait a few seconds > [11:48:04] [INFO] url is stable > [11:48:04] [INFO] testing if GET parameter 'id' is dynamic > [11:48:04] [INFO] heuristics detected web page charset 'ascii' > [11:48:05] [INFO] confirming that GET parameter 'id' is dynamic > [11:48:05] [INFO] GET parameter 'id' is dynamic > [11:48:06] [INFO] heuristic test shows that GET parameter 'id' might be > injectable (possible DBMS: Microsoft Access) > [11:48:06] [INFO] testing sql injection on GET parameter 'id' > [11:48:06] [INFO] testing 'AND boolean-based blind - WHERE or HAVING > clause' > parsed error message(s) showed that the back-end DBMS could be Microsoft > Access. Do you want to skip test payloads specific for other DBMSes? [Y/n] > [11:48:11] [INFO] testing 'Generic UNION query (NULL) - 1 to 10 columns' > [11:48:28] [WARNING] GET parameter 'id' is not injectable > [11:48:28] [CRITICAL] all parameters appear to be not injectable. Try to > increase --level/--risk values to perform more tests. Rerun by providing > either a valid --string or a valid --regexp, refer to the user's manual for > details > [11:48:28] [WARNING] HTTP error codes detected during testing: > 500 (Internal Server Error) - 47 times > > [*] shutting down at: 11:48:28 > > > > ------------------------------------------------------------------------------ > Ridiculously easy VDI. With Citrix VDI-in-a-Box, you don't need a complex > infrastructure or vast IT resources to deliver seamless, secure access to > virtual desktops. With this all-in-one solution, easily deploy virtual > desktops for less than the cost of PCs and save 60% on VDI infrastructure > costs. Try it free! http://p.sf.net/sfu/Citrix-VDIinabox > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > > -- Miroslav Stampar http://about.me/stamparm |
