sqlmap-users

[sqlmap-users] Dynamic parameter

[Ľuboš K. <lub...@gm...>]

Hello,

I have an issue with sqlmap 0.7. I know that the parameter vid from URL I
want to test is injectable with union but sqlmap comes to the statement that
it isn't:
[12:53:04] [WARNING] GET parameter 'vid' is not injectable

I provided also the string which is in the page content of the url I
provided.

DB is MySQL 5.0.
If you want I can give you the url so you can debug why it evaluates badly.

Regards,

Lubos

[sqlmap-users] Dynamic parameter

[Wu, M. <Mic...@FM...>]

Hi, 
  I'm just starting with SQLMap. I have an app that has known SQL inject
vulnerabilities. http://www.badstore.net/

  Here is the url after the application is installed and configured.
http://192.168.56.104/cgi-bin/badstore.cgi?searchquery=Money&action=sear
ch&x=0&y=0

The searchquery parameter is known to have SQL injection vulnerabilities
(confirmed manaully as follows), 
http://192.168.56.104/cgi-bin/badstore.cgi?searchquery=Money%27&action=s
earch&x=0&y=0
DBD::mysql::st execute failed: You have an error in your SQL syntax;
check the manual that corresponds to your MySQL server version for the
right syntax to use near ''Money'' IN (itemnum,sdesc,ldesc)' at line 1
at /usr/local/apache/cgi-bin/badstore.cgi line 207.

but SQL map 0.7 and 0.8-dev consistently report that this parameter is
not "dynamic". Could someone help please?

SQL map output
GET
http://192.168.56.104:80/cgi-bin/badstore.cgi?searchquery=Money&action=s
earch&x=19&y=12
do you want to test this url? [Y/n/q]
> Y
[17:33:16] [INFO] testing url
http://192.168.56.104:80/cgi-bin/badstore.cgi?searchquery=Money&action=s
earch&x=19&y=12
[17:33:16] [INFO] testing connection to the target url
[17:33:16] [INFO] testing if the url is stable, wait a few seconds
[17:33:18] [INFO] url is stable
...

[17:33:21] [INFO] testing if GET parameter 'x' is dynamic
[17:33:21] [WARNING] GET parameter 'x' is not dynamic
[17:33:21] [INFO] testing if GET parameter 'searchquery' is dynamic
[17:33:21] [WARNING] GET parameter 'searchquery' is not dynamic
[17:33:21] [INFO] testing if GET parameter 'y' is dynamic
[17:33:21] [WARNING] GET parameter 'y' is not dynamic

Regards

Michael

Re: [sqlmap-users] Dynamic parameter

[Ignacio H. <nac...@gm...>]

You can use the "-p param" option to avoid the dinamicy tests. And also i
think the detection engine is going  to be rewiritten to fix some flaws.
Just try "-p searchquery"

Cheers

2010/3/8 Wu, Michael <Mic...@fm...>

> Hi,
>  I'm just starting with SQLMap. I have an app that has known SQL inject
> vulnerabilities. http://www.badstore.net/
>
>  Here is the url after the application is installed and configured.
> http://192.168.56.104/cgi-bin/badstore.cgi?searchquery=Money&action=sear
> ch&x=0&y=0<http://192.168.56.104/cgi-bin/badstore.cgi?searchquery=Money&action=sear%0Ach&x=0&y=0>
>
> The searchquery parameter is known to have SQL injection vulnerabilities
> (confirmed manaully as follows),
> http://192.168.56.104/cgi-bin/badstore.cgi?searchquery=Money%27&action=s
> earch&x=0&y=0<http://192.168.56.104/cgi-bin/badstore.cgi?searchquery=Money%27&action=s%0Aearch&x=0&y=0>
> DBD::mysql::st execute failed: You have an error in your SQL syntax;
> check the manual that corresponds to your MySQL server version for the
> right syntax to use near ''Money'' IN (itemnum,sdesc,ldesc)' at line 1
> at /usr/local/apache/cgi-bin/badstore.cgi line 207.
>
> but SQL map 0.7 and 0.8-dev consistently report that this parameter is
> not "dynamic". Could someone help please?
>
> SQL map output
> GET
> http://192.168.56.104:80/cgi-bin/badstore.cgi?searchquery=Money&action=s
> earch&x=19&y=12<http://192.168.56.104:80/cgi-bin/badstore.cgi?searchquery=Money&action=s%0Aearch&x=19&y=12>
> do you want to test this url? [Y/n/q]
> > Y
> [17:33:16] [INFO] testing url
> http://192.168.56.104:80/cgi-bin/badstore.cgi?searchquery=Money&action=s
> earch&x=19&y=12<http://192.168.56.104:80/cgi-bin/badstore.cgi?searchquery=Money&action=s%0Aearch&x=19&y=12>
> [17:33:16] [INFO] testing connection to the target url
> [17:33:16] [INFO] testing if the url is stable, wait a few seconds
> [17:33:18] [INFO] url is stable
> ...
>
> [17:33:21] [INFO] testing if GET parameter 'x' is dynamic
> [17:33:21] [WARNING] GET parameter 'x' is not dynamic
> [17:33:21] [INFO] testing if GET parameter 'searchquery' is dynamic
> [17:33:21] [WARNING] GET parameter 'searchquery' is not dynamic
> [17:33:21] [INFO] testing if GET parameter 'y' is dynamic
> [17:33:21] [WARNING] GET parameter 'y' is not dynamic
>
> Regards
>
> Michael
>
>
> ------------------------------------------------------------------------------
> Download Intel&#174; Parallel Studio Eval
> Try the new software tools for yourself. Speed compiling, find bugs
> proactively, and fine-tune applications for parallel performance.
> See why Intel Parallel Studio got high marks during beta.
> http://p.sf.net/sfu/intel-sw-dev
> _______________________________________________
> sqlmap-users mailing list
> sql...@li...
> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>