Re: [sqlmap-users] error or bug
Brought to you by:
inquisb
Menu
▾
▴
Re: [sqlmap-users] error or bug
|
From: Miroslav S. <mir...@gm...> - 2013-06-12 20:19:18
|
Most probably it has a dynamic content inside (changing between each response). I can't tell you more because I don't know the details about the target. Kind regards, Miroslav Stampar On Jun 12, 2013 9:13 PM, "Jonatah Romero" <jon...@ho...> wrote: > It is a false positive because of filters sanitize, or some function > decode () making sure the ID explicitly safe? Or some other reason? > > ------------------------------ > Date: Wed, 12 Jun 2013 06:02:23 +0200 > Subject: Re: [sqlmap-users] error or bug > From: mir...@gm... > To: jon...@ho... > CC: sql...@li... > > Hi. > > It's a false positive. > > Kind regards, > Miroslav Stampar > On Jun 12, 2013 2:42 AM, "Jonatah Romero" <jon...@ho...> > wrote: > > Hello guys, i made 3 attempts injection, all 3 have unequal information, > one said there was no injection, the other said through heuristics to be > Firebird DBMS, and the DBMS be another SAP MaxDB. I also tested it with > --tamper, and --string, as stated sqlmap, stated that it was a false > positive. It would be a bug or error? > > Love information, more and more, I'm hungry :-). > > > sqlmap.py -u "https://website/action/link?id=value" --fingerprint > --threads=10 --technique=B > > sqlmap/1.0-dev-42a8234 - automatic SQL injection and database takeover > tool > http://sqlmap.org > > [!] legal disclaimer: Usage of sqlmap for attacking targets without prior > mutual consent is illegal. It is the end user' > s responsibility to obey all applicable local, state and federal laws. > Developers assume no liability and are not respon > sible for any misuse or damage caused by this program > > [*] starting at 20:42:06 > > [20:42:06] [INFO] testing connection to the target URL > [20:42:06] [INFO] heuristics detected web page charset 'ascii' > [20:42:06] [INFO] testing if the target URL is stable. This can take a > coulpe of seconds > [20:42:08] [INFO] testing if GET parameter 'id' is dynamic > [20:42:08] [WARNING] GET parameter 'id' does not appear dynamic > [20:42:09] [WARNING] heuristic <basic> test shows that GET parameter 'id' > might not be injectable > [20:42:09] [INFO] testing for SQL injection on GET parameter 'id' > [20:42:09] [INFO] testing 'AND boolean-based blind - WHERE or HAVING > clause' > [20:42:14] [INFO] GET parameter 'id' seems to be 'AND boolean-based blind > - WHERE or HAVING clause' injectable <with --string="0.0001"> > [20:42:18] [INFO] heuristic <extended> test shows that the back-end DBMS > could be 'Firebird' > do you want to include all tests for 'Firebird' extending provided level > <1> and risk <1>? [Y/n] y > [20:42:26] [INFO] checking if the injection point on GET parameter 'id' is > a false positive > [20:42:27] [WARNING] false positive or unexploitable injection point > detected > [20:42:27] [WARNING] there is a possibility that the character '>' is > filtered by the back-end server. You can try to rerun with > '--tamper=between' > [20:42:27] [WARNING] GET parameter 'id' is not injectable > [20:42:27] [CRITICAL] all teste parameters appear to be not injectable. > Try to increase '--level'/'--risk' values to perform more tests. Rerun > without providing the option '--technique'. Also, you can try to rerun by > providing a valid value for option '--string' as perhaps the string you > have choosen does not match exclusively True responses > > [*] shutting down at 20:42:27 > > > ------------------------------------------------------------------------------ > This SF.net email is sponsored by Windows: > > Build for Windows Store. > > http://p.sf.net/sfu/windows-dev2dev > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > > > > ------------------------------------------------------------------------------ > This SF.net email is sponsored by Windows: > > Build for Windows Store. > > http://p.sf.net/sfu/windows-dev2dev > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > > |
