sqlmap-users

[sqlmap-users] sql injection doesn't works

[alfonso c. <alf...@gm...>]

Hi list,

I'm using sqlmap with a website created ad-hoc (Apache/2.2.9 (Ubuntu)
PHP/5.2.6-2ubuntu4.1 with Suhosin-Patch, mysql  Ver 14.12 Distrib 5.0.67,
for debian-linux-gnu (i486) using readline 5.2).

The simple and insecure php code:

...
...
$query = "SELECT id from $db_table where username = '$username'";
$result = mysql_query($query);

while ($row = mysql_fetch_array($result)){
        print "$row[0]<br>";
}
...
...

the MySQL table:

mysql> show columns from tbl_test;
+----------+-------------+------+-----+---------+----------------+
| Field    | Type        | Null | Key | Default | Extra          |
+----------+-------------+------+-----+---------+----------------+
| id       | int(10)     | NO   | PRI | NULL    | auto_increment |
| username | varchar(20) | NO   |     | NULL    |                |
| password | varchar(20) | NO   |     | NULL    |                |
+----------+-------------+------+-----+---------+----------------+

get_magic_quotes_gpc = Off

Now, I can do sql injection attack with ' or 1=1-'

http://127.0.0.1/test/test_sql.php?username=username1%27%20or%201=1-%27

but with sqlmap...

...
...
[17:58:58] [WARNING] GET parameter 'username' is not injectable

I've also tried with --prefix "'" --postfix "'OR 1=1--'" etc... but nothing.

Any hints?

Thank you,
AL

Re: [sqlmap-users] sql injection doesn't works

[Bernardo D. A. G. <ber...@gm...>]

Hi Alfonso,

Please, provide sqlmap with the --string option. Read the user's
manual for details.

Cheers,
Bernardo


On Sun, Mar 8, 2009 at 17:02, alfonso caponi <alf...@gm...> wrote:
> Hi list,
>
> I'm using sqlmap with a website created ad-hoc (Apache/2.2.9 (Ubuntu)
> PHP/5.2.6-2ubuntu4.1 with Suhosin-Patch, mysql  Ver 14.12 Distrib 5.0.67,
> for debian-linux-gnu (i486) using readline 5.2).
>
> The simple and insecure php code:
>
> ...
> ...
> $query = "SELECT id from $db_table where username = '$username'";
> $result = mysql_query($query);
>
> while ($row = mysql_fetch_array($result)){
>         print "$row[0]<br>";
> }
> ...
> ...
>
> the MySQL table:
>
> mysql> show columns from tbl_test;
> +----------+-------------+------+-----+---------+----------------+
> | Field    | Type        | Null | Key | Default | Extra          |
> +----------+-------------+------+-----+---------+----------------+
> | id       | int(10)     | NO   | PRI | NULL    | auto_increment |
> | username | varchar(20) | NO   |     | NULL    |                |
> | password | varchar(20) | NO   |     | NULL    |                |
> +----------+-------------+------+-----+---------+----------------+
>
> get_magic_quotes_gpc = Off
>
> Now, I can do sql injection attack with ' or 1=1-'
>
> http://127.0.0.1/test/test_sql.php?username=username1%27%20or%201=1-%27
>
> but with sqlmap...
>
> ...
> ...
> [17:58:58] [WARNING] GET parameter 'username' is not injectable
>
> I've also tried with --prefix "'" --postfix "'OR 1=1--'" etc... but nothing.
>
> Any hints?
>
> Thank you,
> AL
>
>
> ------------------------------------------------------------------------------
> Open Source Business Conference (OSBC), March 24-25, 2009, San Francisco, CA
> -OSBC tackles the biggest issue in open source: Open Sourcing the Enterprise
> -Strategies to boost innovation and cut costs with open source participation
> -Receive a $600 discount off the registration fee with the source code: SFAD
> http://p.sf.net/sfu/XcvMzF8H
> _______________________________________________
> sqlmap-users mailing list
> sql...@li...
> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>
>



-- 
Bernardo Damele A. G.

E-mail / Jabber: bernardo.damele (at) gmail.com
Mobiles: +447788962949 (UK), +393493821385 (IT)
PGP Key ID: 0x05F5A30F