Re: [sqlmap-users] Problem with a Login
Brought to you by:
inquisb
From: Miroslav S. <mir...@gm...> - 2016-12-04 15:58:04
|
UA == User-Agent On Dec 4, 2016 16:57, "Daniele Bianchin" <bbi...@gm...> wrote: > @Miroslav. What UA does it mean? > > @Brandon tried with sqlmap -u "127.0.0.1/test/Login.php" > --data="user=lol&password=lol" --dbs --suffix="#" -v 3 --tamper=space2plus > and didn't work. > > 2016-12-04 16:50 GMT+01:00 Miroslav Stampar <mir...@gm...>: > >> I am kind of confused. You said that it's your application, right? Why >> would your application care about UA. Also, you've sent source code which >> hasn't looked into UA >> >> Bye >> >> On Dec 4, 2016 16:47, "Daniele Bianchin" <bbi...@gm...> wrote: >> >>> Ok, i made a test with BurpSuite as Brandon said. >>> I tried to inject lol'UNION ALL SELECT NULL,NULL# manually and it worked. >>> The same payload with sqlmap not. >>> >>> This is what BurpSuite shows: http://pastebin.com/6ifKNX9k >>> >>> the first is made manually with firefox the second with sqlmap... >>> should i change user-agent in sqlmap? >>> >>> 2016-12-04 16:29 GMT+01:00 Daniele Bianchin <bbi...@gm...>: >>> >>>> Ok, i made a test with BurpSuite as Brandon said. >>>> I tried to inject lol'UNION ALL SELECT NULL,NULL# manually and it >>>> worked. >>>> The same payload with sqlmap not. >>>> >>>> This is what BurpSuite shows: http://pastebin.com/6ifKNX9k >>>> >>>> the first is made manually with firefox the second with sqlmap... >>>> should i change user-agent in sqlmap? >>>> >>>> 2016-12-04 15:39 GMT+01:00 Brandon Perry <bpe...@gm...>: >>>> >>>>> You can add —proxy and make sqlmap pass all requests through burpsuite >>>>> or another proxy so you can see what the difference is between the requests >>>>> sqlmap creates and the ones you make by hand are. >>>>> >>>>> >>>>> On Dec 4, 2016, at 8:27 AM, Miroslav Stampar < >>>>> mir...@gm...> wrote: >>>>> >>>>> This is a straigthforward case. You are messing something up. >>>>> >>>>> Use username=foobar&password=foobar in POST data. Don't put already >>>>> SQLi payload anywhere. Use --level=3 --risk=3 >>>>> >>>>> As said, you are doing something really really wrong here. >>>>> >>>>> Bye >>>>> >>>>> On Sun, Dec 4, 2016 at 3:06 PM, Daniele Bianchin <bbi...@gm... >>>>> > wrote: >>>>> >>>>>> Hi! >>>>>> I have an issue with sqlmap. >>>>>> I created my own fake login in order to test blind sql injection but >>>>>> everytime i make a test sqlmap says it isn't exploitable. >>>>>> I tried to add a suffix, set level to 5, set risk to 3, set >>>>>> not-string option but sqlmap still not work with it. >>>>>> The login source is: http://pastebin.com/xzKZJNB1 >>>>>> >>>>>> I tried to inject some payloads manually such as ' OR 1=1#, ' UNION >>>>>> ALL SELECT NULL;NULL #, etc... and they work. >>>>>> What should i do? >>>>>> >>>>>> Thanks in advance! >>>>>> >>>>>> >>>>>> Daniele. >>>>>> >>>>>> ------------------------------------------------------------ >>>>>> ------------------ >>>>>> Check out the vibrant tech community on one of the world's most >>>>>> engaging tech sites, SlashDot.org <http://slashdot.org>! >>>>>> http://sdm.link/slashdot >>>>>> _______________________________________________ >>>>>> sqlmap-users mailing list >>>>>> sql...@li... >>>>>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >>>>>> >>>>>> >>>>> >>>>> >>>>> -- >>>>> Miroslav Stampar >>>>> http://about.me/stamparm >>>>> ------------------------------------------------------------ >>>>> ------------------ >>>>> Check out the vibrant tech community on one of the world's most >>>>> engaging tech sites, SlashDot.org <http://slashdot.org>! >>>>> http://sdm.link/slashdot____________________________________ >>>>> ___________ >>>>> sqlmap-users mailing list >>>>> sql...@li... >>>>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >>>>> >>>>> >>>>> >>>> >>> >>> ------------------------------------------------------------ >>> ------------------ >>> Check out the vibrant tech community on one of the world's most >>> engaging tech sites, SlashDot.org! http://sdm.link/slashdot >>> _______________________________________________ >>> sqlmap-users mailing list >>> sql...@li... >>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >>> >>> > |