Re: [sqlmap-users] Problem with a Login
Brought to you by:
inquisb
Menu
▾
▴
Re: [sqlmap-users] Problem with a Login
|
From: Daniele B. <bbi...@gm...> - 2016-12-04 16:10:25
|
anyway...colud anyone take the source and try himself? If it can help i'm using phpv7.0 with php-mysql libraries 2016-12-04 17:00 GMT+01:00 Daniele Bianchin <bbi...@gm...>: > @Miroslav Ah ok...i don't know i tried everything... > > 2016-12-04 16:57 GMT+01:00 Miroslav Stampar <mir...@gm...>: > >> UA == User-Agent >> >> On Dec 4, 2016 16:57, "Daniele Bianchin" <bbi...@gm...> wrote: >> >>> @Miroslav. What UA does it mean? >>> >>> @Brandon tried with sqlmap -u "127.0.0.1/test/Login.php" >>> --data="user=lol&password=lol" --dbs --suffix="#" -v 3 --tamper=space2plus >>> and didn't work. >>> >>> 2016-12-04 16:50 GMT+01:00 Miroslav Stampar <mir...@gm...> >>> : >>> >>>> I am kind of confused. You said that it's your application, right? Why >>>> would your application care about UA. Also, you've sent source code which >>>> hasn't looked into UA >>>> >>>> Bye >>>> >>>> On Dec 4, 2016 16:47, "Daniele Bianchin" <bbi...@gm...> wrote: >>>> >>>>> Ok, i made a test with BurpSuite as Brandon said. >>>>> I tried to inject lol'UNION ALL SELECT NULL,NULL# manually and it >>>>> worked. >>>>> The same payload with sqlmap not. >>>>> >>>>> This is what BurpSuite shows: http://pastebin.com/6ifKNX9k >>>>> >>>>> the first is made manually with firefox the second with sqlmap... >>>>> should i change user-agent in sqlmap? >>>>> >>>>> 2016-12-04 16:29 GMT+01:00 Daniele Bianchin <bbi...@gm...>: >>>>> >>>>>> Ok, i made a test with BurpSuite as Brandon said. >>>>>> I tried to inject lol'UNION ALL SELECT NULL,NULL# manually and it >>>>>> worked. >>>>>> The same payload with sqlmap not. >>>>>> >>>>>> This is what BurpSuite shows: http://pastebin.com/6ifKNX9k >>>>>> >>>>>> the first is made manually with firefox the second with sqlmap... >>>>>> should i change user-agent in sqlmap? >>>>>> >>>>>> 2016-12-04 15:39 GMT+01:00 Brandon Perry <bpe...@gm...>: >>>>>> >>>>>>> You can add —proxy and make sqlmap pass all requests through >>>>>>> burpsuite or another proxy so you can see what the difference is between >>>>>>> the requests sqlmap creates and the ones you make by hand are. >>>>>>> >>>>>>> >>>>>>> On Dec 4, 2016, at 8:27 AM, Miroslav Stampar < >>>>>>> mir...@gm...> wrote: >>>>>>> >>>>>>> This is a straigthforward case. You are messing something up. >>>>>>> >>>>>>> Use username=foobar&password=foobar in POST data. Don't put already >>>>>>> SQLi payload anywhere. Use --level=3 --risk=3 >>>>>>> >>>>>>> As said, you are doing something really really wrong here. >>>>>>> >>>>>>> Bye >>>>>>> >>>>>>> On Sun, Dec 4, 2016 at 3:06 PM, Daniele Bianchin < >>>>>>> bbi...@gm...> wrote: >>>>>>> >>>>>>>> Hi! >>>>>>>> I have an issue with sqlmap. >>>>>>>> I created my own fake login in order to test blind sql injection >>>>>>>> but everytime i make a test sqlmap says it isn't exploitable. >>>>>>>> I tried to add a suffix, set level to 5, set risk to 3, set >>>>>>>> not-string option but sqlmap still not work with it. >>>>>>>> The login source is: http://pastebin.com/xzKZJNB1 >>>>>>>> >>>>>>>> I tried to inject some payloads manually such as ' OR 1=1#, ' UNION >>>>>>>> ALL SELECT NULL;NULL #, etc... and they work. >>>>>>>> What should i do? >>>>>>>> >>>>>>>> Thanks in advance! >>>>>>>> >>>>>>>> >>>>>>>> Daniele. >>>>>>>> >>>>>>>> ------------------------------------------------------------ >>>>>>>> ------------------ >>>>>>>> Check out the vibrant tech community on one of the world's most >>>>>>>> engaging tech sites, SlashDot.org <http://slashdot.org>! >>>>>>>> http://sdm.link/slashdot >>>>>>>> _______________________________________________ >>>>>>>> sqlmap-users mailing list >>>>>>>> sql...@li... >>>>>>>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >>>>>>>> >>>>>>>> >>>>>>> >>>>>>> >>>>>>> -- >>>>>>> Miroslav Stampar >>>>>>> http://about.me/stamparm >>>>>>> ------------------------------------------------------------ >>>>>>> ------------------ >>>>>>> Check out the vibrant tech community on one of the world's most >>>>>>> engaging tech sites, SlashDot.org <http://slashdot.org>! >>>>>>> http://sdm.link/slashdot____________________________________ >>>>>>> ___________ >>>>>>> sqlmap-users mailing list >>>>>>> sql...@li... >>>>>>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >>>>>>> >>>>>>> >>>>>>> >>>>>> >>>>> >>>>> ------------------------------------------------------------ >>>>> ------------------ >>>>> Check out the vibrant tech community on one of the world's most >>>>> engaging tech sites, SlashDot.org! http://sdm.link/slashdot >>>>> _______________________________________________ >>>>> sqlmap-users mailing list >>>>> sql...@li... >>>>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >>>>> >>>>> >>> > |
