sqlmap-users

[sqlmap-users] testing testfire

[Gordon M. <gm...@gm...>]

I've never been very successful using sqlmap, perhaps someone can help
point out what I'm missing. For example, when using IBM's intentionally
vulnerable test web app http://demo.testfire.com/ I manually verified that
the uid parameter in login.aspx is vulnerable to SQLi (using the payload
admin' or 1=1;--). I saved the login request to a file via burp and ran
./sqlmap.py -r CapturedRequestFile. Yet sqlmap still reports "POST
parameter 'uid' is not injectable". What am I doing wrong?

thanks,
-G

Re: [sqlmap-users] testing testfire

[Brandon P. <bpe...@gm...>]

Increase your --risk to 3. OR payloads aren't run on the default risk level IIRC.

Sent from a computer

> On Jun 11, 2014, at 3:29 PM, Gordon Madarm <gm...@gm...> wrote:
> 
> I've never been very successful using sqlmap, perhaps someone can help point out what I'm missing. For example, when using IBM's intentionally vulnerable test web app http://demo.testfire.com/ I manually verified that the uid parameter in login.aspx is vulnerable to SQLi (using the payload admin' or 1=1;--). I saved the login request to a file via burp and ran ./sqlmap.py -r CapturedRequestFile. Yet sqlmap still reports "POST parameter 'uid' is not injectable". What am I doing wrong?
> 
> thanks,
> -G
> ------------------------------------------------------------------------------
> HPCC Systems Open Source Big Data Platform from LexisNexis Risk Solutions
> Find What Matters Most in Your Big Data with HPCC Systems
> Open Source. Fast. Scalable. Simple. Ideal for Dirty Data.
> Leverages Graph Analysis for Fast Processing & Easy Data Exploration
> http://p.sf.net/sfu/hpccsystems
> _______________________________________________
> sqlmap-users mailing list
> sql...@li...
> https://lists.sourceforge.net/lists/listinfo/sqlmap-users

Re: [sqlmap-users] testing testfire

[Gordon M. <gm...@gm...>]

On Thu, Jun 12, 2014 at 12:08 AM, Brandon Perry <bpe...@gm...>
wrote:

> Increase your --risk to 3. OR payloads aren't run on the default risk
> level IIRC.
>
>
Hi Brandon,

Thanks but still no joy. Any other ideas?

-G


> Sent from a computer
>
> On Jun 11, 2014, at 3:29 PM, Gordon Madarm <gm...@gm...> wrote:
>
> I've never been very successful using sqlmap, perhaps someone can help
> point out what I'm missing. For example, when using IBM's intentionally
> vulnerable test web app http://demo.testfire.com/ I manually verified
> that the uid parameter in login.aspx is vulnerable to SQLi (using the
> payload admin' or 1=1;--). I saved the login request to a file via burp and
> ran ./sqlmap.py -r CapturedRequestFile. Yet sqlmap still reports "POST
> parameter 'uid' is not injectable". What am I doing wrong?
>
> thanks,
> -G
>
>
> ------------------------------------------------------------------------------
> HPCC Systems Open Source Big Data Platform from LexisNexis Risk Solutions
> Find What Matters Most in Your Big Data with HPCC Systems
> Open Source. Fast. Scalable. Simple. Ideal for Dirty Data.
> Leverages Graph Analysis for Fast Processing & Easy Data Exploration
> http://p.sf.net/sfu/hpccsystems
>
> _______________________________________________
> sqlmap-users mailing list
> sql...@li...
> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>
>

Re: [sqlmap-users] testing testfire

[Miroslav S. <mir...@gm...>]

http://unconciousmind.blogspot.com/2011/05/sqlmap-vs-testfire-testing-web-server.html


On Thu, Jun 12, 2014 at 7:56 AM, Gordon Madarm <gm...@gm...> wrote:

> On Thu, Jun 12, 2014 at 12:08 AM, Brandon Perry <bpe...@gm...
> > wrote:
>
>> Increase your --risk to 3. OR payloads aren't run on the default risk
>> level IIRC.
>>
>>
> Hi Brandon,
>
> Thanks but still no joy. Any other ideas?
>
> -G
>
>
>> Sent from a computer
>>
>> On Jun 11, 2014, at 3:29 PM, Gordon Madarm <gm...@gm...> wrote:
>>
>> I've never been very successful using sqlmap, perhaps someone can help
>> point out what I'm missing. For example, when using IBM's intentionally
>> vulnerable test web app http://demo.testfire.com/ I manually verified
>> that the uid parameter in login.aspx is vulnerable to SQLi (using the
>> payload admin' or 1=1;--). I saved the login request to a file via burp and
>> ran ./sqlmap.py -r CapturedRequestFile. Yet sqlmap still reports "POST
>> parameter 'uid' is not injectable". What am I doing wrong?
>>
>> thanks,
>> -G
>>
>>
>> ------------------------------------------------------------------------------
>> HPCC Systems Open Source Big Data Platform from LexisNexis Risk Solutions
>> Find What Matters Most in Your Big Data with HPCC Systems
>> Open Source. Fast. Scalable. Simple. Ideal for Dirty Data.
>> Leverages Graph Analysis for Fast Processing & Easy Data Exploration
>> http://p.sf.net/sfu/hpccsystems
>>
>> _______________________________________________
>> sqlmap-users mailing list
>> sql...@li...
>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>>
>>
>
>
> ------------------------------------------------------------------------------
> HPCC Systems Open Source Big Data Platform from LexisNexis Risk Solutions
> Find What Matters Most in Your Big Data with HPCC Systems
> Open Source. Fast. Scalable. Simple. Ideal for Dirty Data.
> Leverages Graph Analysis for Fast Processing & Easy Data Exploration
> http://p.sf.net/sfu/hpccsystems
> _______________________________________________
> sqlmap-users mailing list
> sql...@li...
> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>
>


-- 
Miroslav Stampar
http://about.me/stamparm