[sqlmap-users] testing testfire

[Gordon M. <gm...@gm...>]

I've never been very successful using sqlmap, perhaps someone can help
point out what I'm missing. For example, when using IBM's intentionally
vulnerable test web app http://demo.testfire.com/ I manually verified that
the uid parameter in login.aspx is vulnerable to SQLi (using the payload
admin' or 1=1;--). I saved the login request to a file via burp and ran
./sqlmap.py -r CapturedRequestFile. Yet sqlmap still reports "POST
parameter 'uid' is not injectable". What am I doing wrong?

thanks,
-G