Re: [sqlmap-users] Problem with a Login
Brought to you by:
inquisb
Menu
▾
▴
Re: [sqlmap-users] Problem with a Login
|
From: Daniele B. <bbi...@gm...> - 2016-12-04 16:00:36
|
@Miroslav Ah ok...i don't know i tried everything... 2016-12-04 16:57 GMT+01:00 Miroslav Stampar <mir...@gm...>: > UA == User-Agent > > On Dec 4, 2016 16:57, "Daniele Bianchin" <bbi...@gm...> wrote: > >> @Miroslav. What UA does it mean? >> >> @Brandon tried with sqlmap -u "127.0.0.1/test/Login.php" >> --data="user=lol&password=lol" --dbs --suffix="#" -v 3 --tamper=space2plus >> and didn't work. >> >> 2016-12-04 16:50 GMT+01:00 Miroslav Stampar <mir...@gm...>: >> >>> I am kind of confused. You said that it's your application, right? Why >>> would your application care about UA. Also, you've sent source code which >>> hasn't looked into UA >>> >>> Bye >>> >>> On Dec 4, 2016 16:47, "Daniele Bianchin" <bbi...@gm...> wrote: >>> >>>> Ok, i made a test with BurpSuite as Brandon said. >>>> I tried to inject lol'UNION ALL SELECT NULL,NULL# manually and it >>>> worked. >>>> The same payload with sqlmap not. >>>> >>>> This is what BurpSuite shows: http://pastebin.com/6ifKNX9k >>>> >>>> the first is made manually with firefox the second with sqlmap... >>>> should i change user-agent in sqlmap? >>>> >>>> 2016-12-04 16:29 GMT+01:00 Daniele Bianchin <bbi...@gm...>: >>>> >>>>> Ok, i made a test with BurpSuite as Brandon said. >>>>> I tried to inject lol'UNION ALL SELECT NULL,NULL# manually and it >>>>> worked. >>>>> The same payload with sqlmap not. >>>>> >>>>> This is what BurpSuite shows: http://pastebin.com/6ifKNX9k >>>>> >>>>> the first is made manually with firefox the second with sqlmap... >>>>> should i change user-agent in sqlmap? >>>>> >>>>> 2016-12-04 15:39 GMT+01:00 Brandon Perry <bpe...@gm...>: >>>>> >>>>>> You can add —proxy and make sqlmap pass all requests through >>>>>> burpsuite or another proxy so you can see what the difference is between >>>>>> the requests sqlmap creates and the ones you make by hand are. >>>>>> >>>>>> >>>>>> On Dec 4, 2016, at 8:27 AM, Miroslav Stampar < >>>>>> mir...@gm...> wrote: >>>>>> >>>>>> This is a straigthforward case. You are messing something up. >>>>>> >>>>>> Use username=foobar&password=foobar in POST data. Don't put already >>>>>> SQLi payload anywhere. Use --level=3 --risk=3 >>>>>> >>>>>> As said, you are doing something really really wrong here. >>>>>> >>>>>> Bye >>>>>> >>>>>> On Sun, Dec 4, 2016 at 3:06 PM, Daniele Bianchin < >>>>>> bbi...@gm...> wrote: >>>>>> >>>>>>> Hi! >>>>>>> I have an issue with sqlmap. >>>>>>> I created my own fake login in order to test blind sql injection but >>>>>>> everytime i make a test sqlmap says it isn't exploitable. >>>>>>> I tried to add a suffix, set level to 5, set risk to 3, set >>>>>>> not-string option but sqlmap still not work with it. >>>>>>> The login source is: http://pastebin.com/xzKZJNB1 >>>>>>> >>>>>>> I tried to inject some payloads manually such as ' OR 1=1#, ' UNION >>>>>>> ALL SELECT NULL;NULL #, etc... and they work. >>>>>>> What should i do? >>>>>>> >>>>>>> Thanks in advance! >>>>>>> >>>>>>> >>>>>>> Daniele. >>>>>>> >>>>>>> ------------------------------------------------------------ >>>>>>> ------------------ >>>>>>> Check out the vibrant tech community on one of the world's most >>>>>>> engaging tech sites, SlashDot.org <http://slashdot.org>! >>>>>>> http://sdm.link/slashdot >>>>>>> _______________________________________________ >>>>>>> sqlmap-users mailing list >>>>>>> sql...@li... >>>>>>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >>>>>>> >>>>>>> >>>>>> >>>>>> >>>>>> -- >>>>>> Miroslav Stampar >>>>>> http://about.me/stamparm >>>>>> ------------------------------------------------------------ >>>>>> ------------------ >>>>>> Check out the vibrant tech community on one of the world's most >>>>>> engaging tech sites, SlashDot.org <http://slashdot.org>! >>>>>> http://sdm.link/slashdot____________________________________ >>>>>> ___________ >>>>>> sqlmap-users mailing list >>>>>> sql...@li... >>>>>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >>>>>> >>>>>> >>>>>> >>>>> >>>> >>>> ------------------------------------------------------------ >>>> ------------------ >>>> Check out the vibrant tech community on one of the world's most >>>> engaging tech sites, SlashDot.org! http://sdm.link/slashdot >>>> _______________________________________________ >>>> sqlmap-users mailing list >>>> sql...@li... >>>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >>>> >>>> >> |
