Re: [sqlmap-users] Problem with a Login
Brought to you by:
inquisb
Menu
▾
▴
Re: [sqlmap-users] Problem with a Login
|
From: Miroslav S. <mir...@gm...> - 2016-12-04 15:51:01
|
I am kind of confused. You said that it's your application, right? Why would your application care about UA. Also, you've sent source code which hasn't looked into UA Bye On Dec 4, 2016 16:47, "Daniele Bianchin" <bbi...@gm...> wrote: > Ok, i made a test with BurpSuite as Brandon said. > I tried to inject lol'UNION ALL SELECT NULL,NULL# manually and it worked. > The same payload with sqlmap not. > > This is what BurpSuite shows: http://pastebin.com/6ifKNX9k > > the first is made manually with firefox the second with sqlmap... > should i change user-agent in sqlmap? > > 2016-12-04 16:29 GMT+01:00 Daniele Bianchin <bbi...@gm...>: > >> Ok, i made a test with BurpSuite as Brandon said. >> I tried to inject lol'UNION ALL SELECT NULL,NULL# manually and it worked. >> The same payload with sqlmap not. >> >> This is what BurpSuite shows: http://pastebin.com/6ifKNX9k >> >> the first is made manually with firefox the second with sqlmap... >> should i change user-agent in sqlmap? >> >> 2016-12-04 15:39 GMT+01:00 Brandon Perry <bpe...@gm...>: >> >>> You can add —proxy and make sqlmap pass all requests through burpsuite >>> or another proxy so you can see what the difference is between the requests >>> sqlmap creates and the ones you make by hand are. >>> >>> >>> On Dec 4, 2016, at 8:27 AM, Miroslav Stampar <mir...@gm...> >>> wrote: >>> >>> This is a straigthforward case. You are messing something up. >>> >>> Use username=foobar&password=foobar in POST data. Don't put already >>> SQLi payload anywhere. Use --level=3 --risk=3 >>> >>> As said, you are doing something really really wrong here. >>> >>> Bye >>> >>> On Sun, Dec 4, 2016 at 3:06 PM, Daniele Bianchin <bbi...@gm...> >>> wrote: >>> >>>> Hi! >>>> I have an issue with sqlmap. >>>> I created my own fake login in order to test blind sql injection but >>>> everytime i make a test sqlmap says it isn't exploitable. >>>> I tried to add a suffix, set level to 5, set risk to 3, set not-string >>>> option but sqlmap still not work with it. >>>> The login source is: http://pastebin.com/xzKZJNB1 >>>> >>>> I tried to inject some payloads manually such as ' OR 1=1#, ' UNION ALL >>>> SELECT NULL;NULL #, etc... and they work. >>>> What should i do? >>>> >>>> Thanks in advance! >>>> >>>> >>>> Daniele. >>>> >>>> ------------------------------------------------------------ >>>> ------------------ >>>> Check out the vibrant tech community on one of the world's most >>>> engaging tech sites, SlashDot.org <http://slashdot.org>! >>>> http://sdm.link/slashdot >>>> _______________________________________________ >>>> sqlmap-users mailing list >>>> sql...@li... >>>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >>>> >>>> >>> >>> >>> -- >>> Miroslav Stampar >>> http://about.me/stamparm >>> ------------------------------------------------------------ >>> ------------------ >>> Check out the vibrant tech community on one of the world's most >>> engaging tech sites, SlashDot.org <http://slashdot.org>! >>> http://sdm.link/slashdot_______________________________________________ >>> sqlmap-users mailing list >>> sql...@li... >>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >>> >>> >>> >> > > ------------------------------------------------------------ > ------------------ > Check out the vibrant tech community on one of the world's most > engaging tech sites, SlashDot.org! http://sdm.link/slashdot > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > > |
