Re: [sqlmap-users] Bug found...

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

Hi.

It works, but in later stage. You can see clearly in the following example
that only parameter goButton is being checked for SQLi.

$ python sqlmap.py -u "http://testphp.vulnweb.com/artists.php?artist=1"
--forms -p goButton
         _
 ___ ___| |_____ ___ ___  {1.0-dev-7d418af}
|_ -| . | |     | .'| . |
|___|_  |_|_|_|_|__,|  _|
      |_|           |_|   http://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior
mutual consent is illegal. It is the end user's responsibility to obey all
applicable local, state and federal laws. Developers assume no liability
and are not responsible for any misuse or damage caused by this program

[*] starting at 16:34:53

[16:34:56] [INFO] testing connection to the target URL
[16:35:03] [INFO] searching for forms
[#1] form:
POST http://testphp.vulnweb.com:80/search.php?test=query
POST data: searchFor=&goButton=go
do you want to test this form? [Y/n/q]
>
Edit POST data [default: searchFor=&goButton=go] (Warning: blank fields
detected):
do you want to fill blank fields with random values? [Y/n]
[16:35:14] [INFO] using
'/home/stamparm/.sqlmap/output/results-06222015_0435pm.csv' as the CSV
results file in multiple targets mode
[16:35:18] [INFO] testing if the target URL is stable. This can take a
couple of seconds
[16:35:19] [INFO] target URL is stable
[16:35:19] [WARNING] heuristic (basic) test shows that POST parameter
'goButton' might not be injectable
[16:35:20] [INFO] testing for SQL injection on POST parameter 'goButton'
[16:35:20] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[16:35:22] [WARNING] user aborted during detection phase
how do you want to proceed? [(S)kip current test/(e)nd detection
phase/(n)ext parameter/(c)hange verbosity/(q)uit] n
[16:35:24] [WARNING] POST parameter 'goButton' is not injectable
[16:35:24] [ERROR] all tested parameters appear to be not injectable. Try
to increase '--level'/'--risk' values to perform more tests. Also, you can
try to rerun by providing either a valid value for option '--string' (or
'--regexp') If you suspect that there is some kind of protection mechanism
involved (e.g. WAF) maybe you could retry with an option '--tamper' (e.g.
'--tamper=space2comment'), skipping to the next form
[16:35:24] [INFO] you can find results of scanning in multiple targets mode
inside the CSV file
'/home/stamparm/.sqlmap/output/results-06222015_0435pm.csv'

[*] shutting down at 16:35:24

Bye

2015-06-17 14:17 GMT+02:00 Marco Mirandola <mm...@gm...>:

> If use "--forms" the parameter "-p" don't work
>
> Best regards
> M.M.
> --
>
> *[image: Descrizione: Descrizione: image002]  Rispetta l'ambiente. Non
> stampare questa mail se non è necessario*
>
> *Questa e-mail è riservata compresi gli eventuali allegati. In caso di
> ricezione per errore della presente e-mail siete pregati di darne
> comunicazione al mittente mediante e-mail di risposta e di cancellare
> immediatamente questo messaggio, essendo escluso il consenso in ordine a
> qualsiasi tipo di trattamento del suo contenuto e dei relativi allegati. *
>
> *Vi ringraziamo per la collaborazione. This e-mail and any attachments are
> confidential. If you have received this e-mail by mistake, please inform
> the sender immediately by reply e-mail and then delete it from your system.
> Any processing of this e-mail and its attachments is not authorized. **Thank
> you for your cooperation*.
>
>
> ------------------------------------------------------------------------------
>
> _______________________________________________
> sqlmap-users mailing list
> sql...@li...
> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>
>

-- 
Miroslav Stampar
http://about.me/stamparm