Re: [sqlmap-users] String based blind sql injection help
Brought to you by:
inquisb
Menu
▾
▴
Re: [sqlmap-users] String based blind sql injection help
|
From: Miroslav S. <mir...@gm...> - 2013-09-16 06:58:24
|
Hi. You haven't told what were the results of sqlmap running against that target. sqlmap is trying to use payloads like: validstring' and 'a'='a by default. From your description this looks like it could be a MsAccess. Kind regards, Miroslav Stampar On Mon, Sep 16, 2013 at 4:53 AM, Rashmi Singh <ras...@gm...> wrote: > I have spent ages to test website with help of sqlmap but no success, so i > decided to post here for help with experts > > Website is vulnerable to blind sql injection, but i want sqlmap to help me > but i dont know how to make it work by choosing correct sqlmap commandline > options. > > I tell you whole picture of the injection. > > There are many post parameters but vulnerable paramater is only one, so > below is the whole picture > > 1) blind sql injection is on https > > 2) vulnerable parameter is page_id POST param > > 3) blind injection work with following payload only. > > page_id=validstring' and 'a'='a > > With above payload page loads normally but if i use like below > > page_id=validstring' and 'a'='a'-- > > Or > > page_id=validstring' and 'a'='a'# > > Or > > page_id=validstring' and 'a'='a'--+- > > Or > > page_id=validstring' and 'a'='a'%00 > > Or > > page_id=validstring' and 'a'='a'/* > > Blind just does not work and page does not load normally. > > So im not sure how to terminate the query by myself with comments. Because > no comment is working and i dont know what database is being used by the > application. > > So thats y i want sqlmap to help me. > > Please help me with correct sqlmap commands with all correct options so i > can make it work. > > Thank you very much > > > ------------------------------------------------------------------------------ > LIMITED TIME SALE - Full Year of Microsoft Training For Just $49.99! > 1,500+ hours of tutorials including VisualStudio 2012, Windows 8, > SharePoint > 2013, SQL 2012, MVC 4, more. BEST VALUE: New Multi-Library Power Pack > includes > Mobile, Cloud, Java, and UX Design. Lowest price ever! Ends 9/20/13. > http://pubads.g.doubleclick.net/gampad/clk?id=58041151&iu=/4140/ostg.clktrk > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > > -- Miroslav Stampar http://about.me/stamparm |
