Re: [sqlmap-users] Problem with a Login
Brought to you by:
inquisb
Menu
▾
▴
Re: [sqlmap-users] Problem with a Login
|
From: Daniele B. <bbi...@gm...> - 2016-12-04 15:57:31
|
@Miroslav. What UA does it mean? @Brandon tried with sqlmap -u "127.0.0.1/test/Login.php" --data="user=lol&password=lol" --dbs --suffix="#" -v 3 --tamper=space2plus and didn't work. 2016-12-04 16:50 GMT+01:00 Miroslav Stampar <mir...@gm...>: > I am kind of confused. You said that it's your application, right? Why > would your application care about UA. Also, you've sent source code which > hasn't looked into UA > > Bye > > On Dec 4, 2016 16:47, "Daniele Bianchin" <bbi...@gm...> wrote: > >> Ok, i made a test with BurpSuite as Brandon said. >> I tried to inject lol'UNION ALL SELECT NULL,NULL# manually and it worked. >> The same payload with sqlmap not. >> >> This is what BurpSuite shows: http://pastebin.com/6ifKNX9k >> >> the first is made manually with firefox the second with sqlmap... >> should i change user-agent in sqlmap? >> >> 2016-12-04 16:29 GMT+01:00 Daniele Bianchin <bbi...@gm...>: >> >>> Ok, i made a test with BurpSuite as Brandon said. >>> I tried to inject lol'UNION ALL SELECT NULL,NULL# manually and it worked. >>> The same payload with sqlmap not. >>> >>> This is what BurpSuite shows: http://pastebin.com/6ifKNX9k >>> >>> the first is made manually with firefox the second with sqlmap... >>> should i change user-agent in sqlmap? >>> >>> 2016-12-04 15:39 GMT+01:00 Brandon Perry <bpe...@gm...>: >>> >>>> You can add —proxy and make sqlmap pass all requests through burpsuite >>>> or another proxy so you can see what the difference is between the requests >>>> sqlmap creates and the ones you make by hand are. >>>> >>>> >>>> On Dec 4, 2016, at 8:27 AM, Miroslav Stampar < >>>> mir...@gm...> wrote: >>>> >>>> This is a straigthforward case. You are messing something up. >>>> >>>> Use username=foobar&password=foobar in POST data. Don't put already >>>> SQLi payload anywhere. Use --level=3 --risk=3 >>>> >>>> As said, you are doing something really really wrong here. >>>> >>>> Bye >>>> >>>> On Sun, Dec 4, 2016 at 3:06 PM, Daniele Bianchin <bbi...@gm...> >>>> wrote: >>>> >>>>> Hi! >>>>> I have an issue with sqlmap. >>>>> I created my own fake login in order to test blind sql injection but >>>>> everytime i make a test sqlmap says it isn't exploitable. >>>>> I tried to add a suffix, set level to 5, set risk to 3, set not-string >>>>> option but sqlmap still not work with it. >>>>> The login source is: http://pastebin.com/xzKZJNB1 >>>>> >>>>> I tried to inject some payloads manually such as ' OR 1=1#, ' UNION >>>>> ALL SELECT NULL;NULL #, etc... and they work. >>>>> What should i do? >>>>> >>>>> Thanks in advance! >>>>> >>>>> >>>>> Daniele. >>>>> >>>>> ------------------------------------------------------------ >>>>> ------------------ >>>>> Check out the vibrant tech community on one of the world's most >>>>> engaging tech sites, SlashDot.org <http://slashdot.org>! >>>>> http://sdm.link/slashdot >>>>> _______________________________________________ >>>>> sqlmap-users mailing list >>>>> sql...@li... >>>>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >>>>> >>>>> >>>> >>>> >>>> -- >>>> Miroslav Stampar >>>> http://about.me/stamparm >>>> ------------------------------------------------------------ >>>> ------------------ >>>> Check out the vibrant tech community on one of the world's most >>>> engaging tech sites, SlashDot.org <http://slashdot.org>! >>>> http://sdm.link/slashdot_______________________________________________ >>>> sqlmap-users mailing list >>>> sql...@li... >>>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >>>> >>>> >>>> >>> >> >> ------------------------------------------------------------ >> ------------------ >> Check out the vibrant tech community on one of the world's most >> engaging tech sites, SlashDot.org! http://sdm.link/slashdot >> _______________________________________________ >> sqlmap-users mailing list >> sql...@li... >> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >> >> |
