Thread: [sqlmap-users] stunned

Brought to you by: inquisb

sqlmap-users

[sqlmap-users] stunned

From: ciccio p. <cic...@gm...> - 2011-02-08 21:50:16

Hi, I've tested manually several sites which give me typical ODBC
MS-SQL syntax error with simple tick inserted in the POST login
parameters. Again when I perform different payloads like "union select
blabla" the error message change and show me I'm interact effectively
with the db.
BUT if I perform a simple test with sqlmap -u www.foo.bar/login.asp
--method=post --data=par1=val1&par2=val2 -p par1 it say me par1 is not
injectable (while manually it is). Why sqlmap doesn't see the vuln?
Where I wrong?
Again if in the data option i put a normal value for par1 (like asdf),
sqlmap say me "the parameter par 1 is not dynamic" and shutdown, while
if I put directly a tick after asdf value in the data option, sqlmap
see it like "dynamic" and start the tests (with "not injectable"
response at the end)
help plz
thks
mariuolo

Re: [sqlmap-users] stunned

From: Miroslav S. <mir...@gm...> - 2011-02-08 21:54:43

have you tried different levels (--level)?

have you tried different risks (--risk)?

in plainspeak:
higher level = more techniques
higher risk = more prefix/postfix combinations

kr

On Tue, Feb 8, 2011 at 10:50 PM, ciccio panzino
<cic...@gm...> wrote:
> Hi, I've tested manually several sites which give me typical ODBC
> MS-SQL syntax error with simple tick inserted in the POST login
> parameters. Again when I perform different payloads like "union select
> blabla" the error message change and show me I'm interact effectively
> with the db.
> BUT if I perform a simple test with sqlmap -u www.foo.bar/login.asp
> --method=post --data=par1=val1&par2=val2 -p par1 it say me par1 is not
> injectable (while manually it is). Why sqlmap doesn't see the vuln?
> Where I wrong?
> Again if in the data option i put a normal value for par1 (like asdf),
> sqlmap say me "the parameter par 1 is not dynamic" and shutdown, while
> if I put directly a tick after asdf value in the data option, sqlmap
> see it like "dynamic" and start the tests (with "not injectable"
> response at the end)
> help plz
> thks
> mariuolo
>
> ------------------------------------------------------------------------------
> The ultimate all-in-one performance toolkit: Intel(R) Parallel Studio XE:
> Pinpoint memory and threading errors before they happen.
> Find and fix more than 250 security defects in the development cycle.
> Locate bottlenecks in serial and parallel code that limit performance.
> http://p.sf.net/sfu/intel-dev2devfeb
> _______________________________________________
> sqlmap-users mailing list
> sql...@li...
> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>



-- 
Miroslav Stampar

E-mail: miroslav.stampar (at) gmail.com
Alternate: miroslav.stampar (at) mail.ru
PGP Key ID: 0xB5397B1B
Location: Zagreb, Croatia

Re: [sqlmap-users] stunned

From: Miroslav S. <mir...@gm...> - 2011-02-08 21:55:11

..and why are you stunned ciccio?

On Tue, Feb 8, 2011 at 10:54 PM, Miroslav Stampar
<mir...@gm...> wrote:
> have you tried different levels (--level)?
>
> have you tried different risks (--risk)?
>
> in plainspeak:
> higher level = more techniques
> higher risk = more prefix/postfix combinations
>
> kr
>
> On Tue, Feb 8, 2011 at 10:50 PM, ciccio panzino
> <cic...@gm...> wrote:
>> Hi, I've tested manually several sites which give me typical ODBC
>> MS-SQL syntax error with simple tick inserted in the POST login
>> parameters. Again when I perform different payloads like "union select
>> blabla" the error message change and show me I'm interact effectively
>> with the db.
>> BUT if I perform a simple test with sqlmap -u www.foo.bar/login.asp
>> --method=post --data=par1=val1&par2=val2 -p par1 it say me par1 is not
>> injectable (while manually it is). Why sqlmap doesn't see the vuln?
>> Where I wrong?
>> Again if in the data option i put a normal value for par1 (like asdf),
>> sqlmap say me "the parameter par 1 is not dynamic" and shutdown, while
>> if I put directly a tick after asdf value in the data option, sqlmap
>> see it like "dynamic" and start the tests (with "not injectable"
>> response at the end)
>> help plz
>> thks
>> mariuolo
>>
>> ------------------------------------------------------------------------------
>> The ultimate all-in-one performance toolkit: Intel(R) Parallel Studio XE:
>> Pinpoint memory and threading errors before they happen.
>> Find and fix more than 250 security defects in the development cycle.
>> Locate bottlenecks in serial and parallel code that limit performance.
>> http://p.sf.net/sfu/intel-dev2devfeb
>> _______________________________________________
>> sqlmap-users mailing list
>> sql...@li...
>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>>
>
>
>
> --
> Miroslav Stampar
>
> E-mail: miroslav.stampar (at) gmail.com
> Alternate: miroslav.stampar (at) mail.ru
> PGP Key ID: 0xB5397B1B
> Location: Zagreb, Croatia
>



-- 
Miroslav Stampar

E-mail: miroslav.stampar (at) gmail.com
Alternate: miroslav.stampar (at) mail.ru
PGP Key ID: 0xB5397B1B
Location: Zagreb, Croatia

Re: [sqlmap-users] stunned

From: Miroslav S. <mir...@gm...> - 2011-02-08 22:10:40

aha, now i see:
"sqlmap say me "the parameter par 1 is not dynamic" and shutdown"

you are using 0.8 right?

please update to the latest version (0.9/dev) from our repository:
svn checkout https://svn.sqlmap.org/sqlmap/trunk/sqlmap sqlmap-dev

we've fixed some minor stuff till then :)

kr

On Tue, Feb 8, 2011 at 10:55 PM, Miroslav Stampar
<mir...@gm...> wrote:
> ..and why are you stunned ciccio?
>
> On Tue, Feb 8, 2011 at 10:54 PM, Miroslav Stampar
> <mir...@gm...> wrote:
>> have you tried different levels (--level)?
>>
>> have you tried different risks (--risk)?
>>
>> in plainspeak:
>> higher level = more techniques
>> higher risk = more prefix/postfix combinations
>>
>> kr
>>
>> On Tue, Feb 8, 2011 at 10:50 PM, ciccio panzino
>> <cic...@gm...> wrote:
>>> Hi, I've tested manually several sites which give me typical ODBC
>>> MS-SQL syntax error with simple tick inserted in the POST login
>>> parameters. Again when I perform different payloads like "union select
>>> blabla" the error message change and show me I'm interact effectively
>>> with the db.
>>> BUT if I perform a simple test with sqlmap -u www.foo.bar/login.asp
>>> --method=post --data=par1=val1&par2=val2 -p par1 it say me par1 is not
>>> injectable (while manually it is). Why sqlmap doesn't see the vuln?
>>> Where I wrong?
>>> Again if in the data option i put a normal value for par1 (like asdf),
>>> sqlmap say me "the parameter par 1 is not dynamic" and shutdown, while
>>> if I put directly a tick after asdf value in the data option, sqlmap
>>> see it like "dynamic" and start the tests (with "not injectable"
>>> response at the end)
>>> help plz
>>> thks
>>> mariuolo
>>>
>>> ------------------------------------------------------------------------------
>>> The ultimate all-in-one performance toolkit: Intel(R) Parallel Studio XE:
>>> Pinpoint memory and threading errors before they happen.
>>> Find and fix more than 250 security defects in the development cycle.
>>> Locate bottlenecks in serial and parallel code that limit performance.
>>> http://p.sf.net/sfu/intel-dev2devfeb
>>> _______________________________________________
>>> sqlmap-users mailing list
>>> sql...@li...
>>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>>>
>>
>>
>>
>> --
>> Miroslav Stampar
>>
>> E-mail: miroslav.stampar (at) gmail.com
>> Alternate: miroslav.stampar (at) mail.ru
>> PGP Key ID: 0xB5397B1B
>> Location: Zagreb, Croatia
>>
>
>
>
> --
> Miroslav Stampar
>
> E-mail: miroslav.stampar (at) gmail.com
> Alternate: miroslav.stampar (at) mail.ru
> PGP Key ID: 0xB5397B1B
> Location: Zagreb, Croatia
>



-- 
Miroslav Stampar

E-mail: miroslav.stampar (at) gmail.com
Alternate: miroslav.stampar (at) mail.ru
PGP Key ID: 0xB5397B1B
Location: Zagreb, Croatia