[sqlmap-users] Problem with sqlmap
Brought to you by:
inquisb
Menu
▾
▴
[sqlmap-users] Problem with sqlmap
|
From: stefano l. <lor...@gm...> - 2013-02-01 15:01:23
|
Hi all, and sorry for my English
I tried use sqlmap and I installed dvwa application in my virtual machine.
I use backbox distro and backtrack but I have the same problem, I used this
command below
the problem is that parmater id is injectable but I receve
[15:52:30] [WARNING] heuristic test shows that GET parameter 'id' might not
be injectable
I tried also --level 3 --risk 5 but nothing.....
sqlmap -u '
http://192.168.56.101/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit'
--cookie='Cookie=security=low; PHPSESSID=g123shj27qt27pf5prctrk0t32' --dbs
--dbms=mysql
sqlmap/1.0-dev-d6606a8 - automatic SQL injection and database takeover
tool
http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior
mutual consent is illegal. It is the end user's responsibility to obey all
applicable local, state and federal laws. Developers assume no liability
and are not responsible for any misuse or damage caused by this program
[*] starting at 15:52:27
[15:52:27] [INFO] testing connection to the target url
[15:52:27] [INFO] heuristics detected web page charset 'None'
sqlmap got a 302 redirect to 'http://192.168.56.101:80/dvwa/login.php'. Do
you want to follow? [Y/n]
[15:52:28] [INFO] testing if the url is stable, wait a few seconds
you provided a HTTP Cookie header value. The target url provided its own
cookies within the HTTP Set-Cookie header which intersect with yours. Do
you want to merge them in futher requests? [Y/n]
[15:52:30] [WARNING] GET parameter 'id' does not appear dynamic
[15:52:30] [WARNING] reflective value(s) found and filtering out
[15:52:30] [WARNING] heuristic test shows that GET parameter 'id' might not
be injectable
[15:52:30] [INFO] testing for SQL injection on GET parameter 'id'
[15:52:30] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[15:52:30] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE or HAVING
clause'
[15:52:31] [INFO] testing 'MySQL inline queries'
[15:52:31] [INFO] testing 'MySQL > 5.0.11 stacked queries'
[15:52:31] [INFO] testing 'MySQL > 5.0.11 AND time-based blind'
[15:52:31] [INFO] testing 'MySQL UNION query (NULL) - 1 to 10 columns'
[15:52:32] [INFO] testing 'Generic UNION query (NULL) - 1 to 10 columns'
[15:52:34] [WARNING] GET parameter 'id' is not injectable
[15:52:34] [WARNING] GET parameter 'Submit' does not appear dynamic
[15:52:34] [WARNING] heuristic test shows that GET parameter 'Submit' might
not be injectable
[15:52:34] [INFO] testing for SQL injection on GET parameter 'Submit'
[15:52:34] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[15:52:34] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE or HAVING
clause'
[15:52:34] [INFO] testing 'MySQL inline queries'
[15:52:34] [INFO] testing 'MySQL > 5.0.11 stacked queries'
[15:52:34] [INFO] testing 'MySQL > 5.0.11 AND time-based blind'
[15:52:34] [INFO] testing 'MySQL UNION query (NULL) - 1 to 10 columns'
[15:52:36] [INFO] testing 'Generic UNION query (NULL) - 1 to 10 columns'
[15:52:37] [WARNING] GET parameter 'Submit' is not injectable
[15:52:37] [CRITICAL] all tested parameters appear to be not injectable.
Try to increase '--level'/'--risk' values to perform more tests. Also, you
can try to rerun by providing either a valid value for option '--string'
(or '--regexp')
thanks
--
Ciao
Stefano Lorenzi
www.lorenzistefano.com
|
