[sqlmap-users] oracle order by not detected
Brought to you by:
inquisb
From: Harry A. <har...@gm...> - 2014-12-03 12:40:05
|
I'm testing an app which I've confirmed is running Oracle and has injection into the order by field. http://xxx/test?order=id id is a direct mapping to the database column name. I confirmed injection with the following: http://xxx/test?order=%28select%20%27id%27%20from%20dual%29 The site returns either a table of data or the Oracle exception if the field name given is invalid I've ran sqlmap against it with level 5 and risk 3 (its a test site, client happy to reset if damaged) but it doesn't detect the injection. I've also tried with --string passing it a value from the table so it knows when it hits valid data. I know this should work and from what I've seen when searching a level 3 scan should detect it. What am I doing wrong? And just for my curiosity, as I've got the working injection, would I be able to pass that to sqlmap and point it at that to say inject into here. I gave it a quick try and it complained that the url provided was already tainted and I should clean it up first. Harry. |