[sqlmap-users] String based blind sql injection help
Brought to you by:
inquisb
Menu
▾
▴
[sqlmap-users] String based blind sql injection help
|
From: Rashmi S. <ras...@gm...> - 2013-09-16 02:53:18
|
I have spent ages to test website with help of sqlmap but no success, so i decided to post here for help with experts Website is vulnerable to blind sql injection, but i want sqlmap to help me but i dont know how to make it work by choosing correct sqlmap commandline options. I tell you whole picture of the injection. There are many post parameters but vulnerable paramater is only one, so below is the whole picture 1) blind sql injection is on https 2) vulnerable parameter is page_id POST param 3) blind injection work with following payload only. page_id=validstring' and 'a'='a With above payload page loads normally but if i use like below page_id=validstring' and 'a'='a'-- Or page_id=validstring' and 'a'='a'# Or page_id=validstring' and 'a'='a'--+- Or page_id=validstring' and 'a'='a'%00 Or page_id=validstring' and 'a'='a'/* Blind just does not work and page does not load normally. So im not sure how to terminate the query by myself with comments. Because no comment is working and i dont know what database is being used by the application. So thats y i want sqlmap to help me. Please help me with correct sqlmap commands with all correct options so i can make it work. Thank you very much |
