Re: [sqlmap-users] Problem with sqlmap

[Bernardo D. <ber...@gm...>]

Remove "Cookie=" from the cookie value. Make sure you have sqlmap updated
from GitHub and the session cookie is valid.

Bernardo Damele A. G.

This message was sent from a smartphone

On 1 Feb 2013, at 15:02, stefano lorenzi <lor...@gm...> wrote:

Hi all, and sorry for my English

I tried use sqlmap and I installed dvwa application in my virtual machine.
I use backbox distro and backtrack but I have the same problem, I used this
command below
the problem is that parmater id is injectable  but I receve

[15:52:30] [WARNING] heuristic test shows that GET parameter 'id' might not
be injectable


I tried also --level 3 --risk 5 but nothing.....


sqlmap -u '
http://192.168.56.101/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit'
--cookie='Cookie=security=low; PHPSESSID=g123shj27qt27pf5prctrk0t32' --dbs
--dbms=mysql




    sqlmap/1.0-dev-d6606a8 - automatic SQL injection and database takeover
tool
    http://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior
mutual consent is illegal. It is the end user's responsibility to obey all
applicable local, state and federal laws. Developers assume no liability
and are not responsible for any misuse or damage caused by this program

[*] starting at 15:52:27

[15:52:27] [INFO] testing connection to the target url
[15:52:27] [INFO] heuristics detected web page charset 'None'
sqlmap got a 302 redirect to 'http://192.168.56.101:80/dvwa/login.php'. Do
you want to follow? [Y/n]
[15:52:28] [INFO] testing if the url is stable, wait a few seconds
you provided a HTTP Cookie header value. The target url provided its own
cookies within the HTTP Set-Cookie header which intersect with yours. Do
you want to merge them in futher requests? [Y/n]
[15:52:30] [WARNING] GET parameter 'id' does not appear dynamic
[15:52:30] [WARNING] reflective value(s) found and filtering out
[15:52:30] [WARNING] heuristic test shows that GET parameter 'id' might not
be injectable
[15:52:30] [INFO] testing for SQL injection on GET parameter 'id'
[15:52:30] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[15:52:30] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE or HAVING
clause'
[15:52:31] [INFO] testing 'MySQL inline queries'
[15:52:31] [INFO] testing 'MySQL > 5.0.11 stacked queries'
[15:52:31] [INFO] testing 'MySQL > 5.0.11 AND time-based blind'
[15:52:31] [INFO] testing 'MySQL UNION query (NULL) - 1 to 10 columns'
[15:52:32] [INFO] testing 'Generic UNION query (NULL) - 1 to 10 columns'
[15:52:34] [WARNING] GET parameter 'id' is not injectable
[15:52:34] [WARNING] GET parameter 'Submit' does not appear dynamic
[15:52:34] [WARNING] heuristic test shows that GET parameter 'Submit' might
not be injectable
[15:52:34] [INFO] testing for SQL injection on GET parameter 'Submit'
[15:52:34] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[15:52:34] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE or HAVING
clause'
[15:52:34] [INFO] testing 'MySQL inline queries'
[15:52:34] [INFO] testing 'MySQL > 5.0.11 stacked queries'
[15:52:34] [INFO] testing 'MySQL > 5.0.11 AND time-based blind'
[15:52:34] [INFO] testing 'MySQL UNION query (NULL) - 1 to 10 columns'
[15:52:36] [INFO] testing 'Generic UNION query (NULL) - 1 to 10 columns'
[15:52:37] [WARNING] GET parameter 'Submit' is not injectable
[15:52:37] [CRITICAL] all tested parameters appear to be not injectable.
Try to increase '--level'/'--risk' values to perform more tests. Also, you
can try to rerun by providing either a valid value for option '--string'
(or '--regexp')


thanks



-- 
Ciao
Stefano Lorenzi

www.lorenzistefano.com

------------------------------------------------------------------------------
Everyone hates slow websites. So do we.
Make your web apps faster with AppDynamics
Download AppDynamics Lite for free today:
http://p.sf.net/sfu/appdyn_d2d_jan

_______________________________________________
sqlmap-users mailing list
sql...@li...
https://lists.sourceforge.net/lists/listinfo/sqlmap-users