Thread: [sqlmap-users] Problem with sqlmap
Brought to you by:
inquisb
Menu
▾
▴
sqlmap-users
|
From: Tim J. <ma...@ti...> - 2009-11-17 11:34:29
|
Hello,
my name is Tim Jordans.
First of all i have tested sqlmap and thanks for the tool.
I stumbled upon a problem. In the following php-script sqlmap did not
find any injection:
mysql_query('SELECT * FROM tb_apotheke WHERE AID="'.
mysql_real_escape_string($_REQUEST['zahl1']).'" OR AID='.
$_REQUEST['zahl2'].' OR AID="'.
mysql_real_escape_string($_REQUEST['zahl3']).'"'
);
Although the middle parameter is not escaped sqlmap can´t inject. I was
wondering if the statement is not unsecure or is this not part of the
sqlmap testing routine.
I hope that someone could help me with this problem.
greetings
tim jordans
|
|
From: <nig...@em...> - 2011-11-09 06:13:18
|
<html><head></head><body bgcolor='#FFFFFF' style='font-size:10pt;background-color:#FFFFFF;font-family:Verdana, Arial, sans-serif;'>Hi<br/><br/>I have a problem with sqlmap. When i run sqlmap -u "http://website/notices/terms.php?co=ar" -random-agent --retries=6 --level 5 --risk 3 -f -b --dbms=mysql. sqlmap can´t find the injection point at co=ar I ran this target with another 2 programms they found the the point and i can get all the data from the DB. It is a Blind sql injection. I tryed with drop-cookie preffix suffix text-only nothing helps everytime the same not injecetable. Any suggestion ???<br/><br/>http://website/notices/terms.php?co=ar' and ${condition} and '1'='1 This is the worked injection.<br/><br/>My sqlmap version is sqlmap/1.0-dev (r4489) Its Mysql 5</body></html>
|
|
From: Bernardo D. A. G. <ber...@gm...> - 2011-11-10 10:27:57
|
Give it a go to --string or --regexp.
Pass your requests through an HTTP proxy and see what happens, -v 3
could also give you a clue.
Bernardo
On 9 November 2011 06:13, <nig...@em...> wrote:
> Hi
>
> I have a problem with sqlmap. When i run sqlmap -u
> "http://website/notices/terms.php?co=ar" -random-agent --retries=6 --level 5
> --risk 3 -f -b --dbms=mysql. sqlmap can´t find the injection point at
> co=ar I ran this target with another 2 programms they found the the point
> and i can get all the data from the DB. It is a Blind sql injection. I tryed
> with drop-cookie preffix suffix text-only nothing helps everytime the same
> not injecetable. Any suggestion ???
>
> http://website/notices/terms.php?co=ar' and ${condition} and '1'='1 This is
> the worked injection.
>
> My sqlmap version is sqlmap/1.0-dev (r4489) Its Mysql 5
> ------------------------------------------------------------------------------
> RSA(R) Conference 2012
> Save $700 by Nov 18
> Register now
> http://p.sf.net/sfu/rsa-sfdev2dev1
> _______________________________________________
> sqlmap-users mailing list
> sql...@li...
> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>
>
--
Bernardo Damele A. G.
E-mail / Jabber: bernardo.damele (at) gmail.com
Mobile: +447788962949 (UK 07788962949)
PGP Key ID: Unavailable
|
|
From: stefano l. <lor...@gm...> - 2013-02-01 15:01:23
|
Hi all, and sorry for my English
I tried use sqlmap and I installed dvwa application in my virtual machine.
I use backbox distro and backtrack but I have the same problem, I used this
command below
the problem is that parmater id is injectable but I receve
[15:52:30] [WARNING] heuristic test shows that GET parameter 'id' might not
be injectable
I tried also --level 3 --risk 5 but nothing.....
sqlmap -u '
http://192.168.56.101/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit'
--cookie='Cookie=security=low; PHPSESSID=g123shj27qt27pf5prctrk0t32' --dbs
--dbms=mysql
sqlmap/1.0-dev-d6606a8 - automatic SQL injection and database takeover
tool
http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior
mutual consent is illegal. It is the end user's responsibility to obey all
applicable local, state and federal laws. Developers assume no liability
and are not responsible for any misuse or damage caused by this program
[*] starting at 15:52:27
[15:52:27] [INFO] testing connection to the target url
[15:52:27] [INFO] heuristics detected web page charset 'None'
sqlmap got a 302 redirect to 'http://192.168.56.101:80/dvwa/login.php'. Do
you want to follow? [Y/n]
[15:52:28] [INFO] testing if the url is stable, wait a few seconds
you provided a HTTP Cookie header value. The target url provided its own
cookies within the HTTP Set-Cookie header which intersect with yours. Do
you want to merge them in futher requests? [Y/n]
[15:52:30] [WARNING] GET parameter 'id' does not appear dynamic
[15:52:30] [WARNING] reflective value(s) found and filtering out
[15:52:30] [WARNING] heuristic test shows that GET parameter 'id' might not
be injectable
[15:52:30] [INFO] testing for SQL injection on GET parameter 'id'
[15:52:30] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[15:52:30] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE or HAVING
clause'
[15:52:31] [INFO] testing 'MySQL inline queries'
[15:52:31] [INFO] testing 'MySQL > 5.0.11 stacked queries'
[15:52:31] [INFO] testing 'MySQL > 5.0.11 AND time-based blind'
[15:52:31] [INFO] testing 'MySQL UNION query (NULL) - 1 to 10 columns'
[15:52:32] [INFO] testing 'Generic UNION query (NULL) - 1 to 10 columns'
[15:52:34] [WARNING] GET parameter 'id' is not injectable
[15:52:34] [WARNING] GET parameter 'Submit' does not appear dynamic
[15:52:34] [WARNING] heuristic test shows that GET parameter 'Submit' might
not be injectable
[15:52:34] [INFO] testing for SQL injection on GET parameter 'Submit'
[15:52:34] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[15:52:34] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE or HAVING
clause'
[15:52:34] [INFO] testing 'MySQL inline queries'
[15:52:34] [INFO] testing 'MySQL > 5.0.11 stacked queries'
[15:52:34] [INFO] testing 'MySQL > 5.0.11 AND time-based blind'
[15:52:34] [INFO] testing 'MySQL UNION query (NULL) - 1 to 10 columns'
[15:52:36] [INFO] testing 'Generic UNION query (NULL) - 1 to 10 columns'
[15:52:37] [WARNING] GET parameter 'Submit' is not injectable
[15:52:37] [CRITICAL] all tested parameters appear to be not injectable.
Try to increase '--level'/'--risk' values to perform more tests. Also, you
can try to rerun by providing either a valid value for option '--string'
(or '--regexp')
thanks
--
Ciao
Stefano Lorenzi
www.lorenzistefano.com
|
|
From: Bernardo D. <ber...@gm...> - 2013-02-01 15:07:18
|
Remove "Cookie=" from the cookie value. Make sure you have sqlmap updated
from GitHub and the session cookie is valid.
Bernardo Damele A. G.
This message was sent from a smartphone
On 1 Feb 2013, at 15:02, stefano lorenzi <lor...@gm...> wrote:
Hi all, and sorry for my English
I tried use sqlmap and I installed dvwa application in my virtual machine.
I use backbox distro and backtrack but I have the same problem, I used this
command below
the problem is that parmater id is injectable but I receve
[15:52:30] [WARNING] heuristic test shows that GET parameter 'id' might not
be injectable
I tried also --level 3 --risk 5 but nothing.....
sqlmap -u '
http://192.168.56.101/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit'
--cookie='Cookie=security=low; PHPSESSID=g123shj27qt27pf5prctrk0t32' --dbs
--dbms=mysql
sqlmap/1.0-dev-d6606a8 - automatic SQL injection and database takeover
tool
http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior
mutual consent is illegal. It is the end user's responsibility to obey all
applicable local, state and federal laws. Developers assume no liability
and are not responsible for any misuse or damage caused by this program
[*] starting at 15:52:27
[15:52:27] [INFO] testing connection to the target url
[15:52:27] [INFO] heuristics detected web page charset 'None'
sqlmap got a 302 redirect to 'http://192.168.56.101:80/dvwa/login.php'. Do
you want to follow? [Y/n]
[15:52:28] [INFO] testing if the url is stable, wait a few seconds
you provided a HTTP Cookie header value. The target url provided its own
cookies within the HTTP Set-Cookie header which intersect with yours. Do
you want to merge them in futher requests? [Y/n]
[15:52:30] [WARNING] GET parameter 'id' does not appear dynamic
[15:52:30] [WARNING] reflective value(s) found and filtering out
[15:52:30] [WARNING] heuristic test shows that GET parameter 'id' might not
be injectable
[15:52:30] [INFO] testing for SQL injection on GET parameter 'id'
[15:52:30] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[15:52:30] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE or HAVING
clause'
[15:52:31] [INFO] testing 'MySQL inline queries'
[15:52:31] [INFO] testing 'MySQL > 5.0.11 stacked queries'
[15:52:31] [INFO] testing 'MySQL > 5.0.11 AND time-based blind'
[15:52:31] [INFO] testing 'MySQL UNION query (NULL) - 1 to 10 columns'
[15:52:32] [INFO] testing 'Generic UNION query (NULL) - 1 to 10 columns'
[15:52:34] [WARNING] GET parameter 'id' is not injectable
[15:52:34] [WARNING] GET parameter 'Submit' does not appear dynamic
[15:52:34] [WARNING] heuristic test shows that GET parameter 'Submit' might
not be injectable
[15:52:34] [INFO] testing for SQL injection on GET parameter 'Submit'
[15:52:34] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[15:52:34] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE or HAVING
clause'
[15:52:34] [INFO] testing 'MySQL inline queries'
[15:52:34] [INFO] testing 'MySQL > 5.0.11 stacked queries'
[15:52:34] [INFO] testing 'MySQL > 5.0.11 AND time-based blind'
[15:52:34] [INFO] testing 'MySQL UNION query (NULL) - 1 to 10 columns'
[15:52:36] [INFO] testing 'Generic UNION query (NULL) - 1 to 10 columns'
[15:52:37] [WARNING] GET parameter 'Submit' is not injectable
[15:52:37] [CRITICAL] all tested parameters appear to be not injectable.
Try to increase '--level'/'--risk' values to perform more tests. Also, you
can try to rerun by providing either a valid value for option '--string'
(or '--regexp')
thanks
--
Ciao
Stefano Lorenzi
www.lorenzistefano.com
------------------------------------------------------------------------------
Everyone hates slow websites. So do we.
Make your web apps faster with AppDynamics
Download AppDynamics Lite for free today:
http://p.sf.net/sfu/appdyn_d2d_jan
_______________________________________________
sqlmap-users mailing list
sql...@li...
https://lists.sourceforge.net/lists/listinfo/sqlmap-users
|
|
From: Bernardo D. A. G. <ber...@gm...> - 2009-12-04 00:33:57
|
Hi Tim,
What is the url you provided sqlmap with?
Did you manually confirm that the page content differs when true and
false conditions are injected for zahl2 parameter?
Cheers,
Bernardo
On Tue, Nov 17, 2009 at 11:03, Tim Jordans <ma...@ti...> wrote:
> Hello,
> my name is Tim Jordans.
>
> First of all i have tested sqlmap and thanks for the tool.
>
> I stumbled upon a problem. In the following php-script sqlmap did not
> find any injection:
>
> mysql_query('SELECT * FROM tb_apotheke WHERE AID="'.
> mysql_real_escape_string($_REQUEST['zahl1']).'" OR AID='.
> $_REQUEST['zahl2'].' OR AID="'.
> mysql_real_escape_string($_REQUEST['zahl3']).'"'
> );
>
> Although the middle parameter is not escaped sqlmap can´t inject. I was
> wondering if the statement is not unsecure or is this not part of the
> sqlmap testing routine.
>
> I hope that someone could help me with this problem.
>
> greetings
> tim jordans
>
> ------------------------------------------------------------------------------
> Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day
> trial. Simplify your report design, integration and deployment - and focus on
> what you do best, core application coding. Discover what's new with
> Crystal Reports now. http://p.sf.net/sfu/bobj-july
> _______________________________________________
> sqlmap-users mailing list
> sql...@li...
> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>
--
Bernardo Damele A. G.
E-mail / Jabber: bernardo.damele (at) gmail.com
Mobile: +447788962949 (UK 07788962949)
PGP Key ID: 0x05F5A30F
|
×
Want the latest updates on software, tech news, and AI?
Get latest updates about software, tech news, and AI from SourceForge directly in your inbox once a month.
Thanks for helping keep SourceForge clean.
X