Thread: [sqlmap-users] error or bug
Brought to you by:
inquisb
Menu
▾
▴
sqlmap-users
|
From: Jonatah R. <jon...@ho...> - 2013-06-12 00:40:29
|
Hello guys, i made 3 attempts injection, all 3 have unequal information, one said there was no injection, the other said through heuristics to be Firebird DBMS, and the DBMS be another SAP MaxDB. I also tested it with --tamper, and --string, as stated sqlmap, stated that it was a false positive. It would be a bug or error?
Love information, more and more, I'm hungry :-).
sqlmap.py -u "https://website/action/link?id=value" --fingerprint --threads=10 --technique=B
sqlmap/1.0-dev-42a8234 - automatic SQL injection and database takeover tool http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting at 20:42:06
[20:42:06] [INFO] testing connection to the target URL[20:42:06] [INFO] heuristics detected web page charset 'ascii'[20:42:06] [INFO] testing if the target URL is stable. This can take a coulpe of seconds[20:42:08] [INFO] testing if GET parameter 'id' is dynamic[20:42:08] [WARNING] GET parameter 'id' does not appear dynamic[20:42:09] [WARNING] heuristic <basic> test shows that GET parameter 'id' might not be injectable[20:42:09] [INFO] testing for SQL injection on GET parameter 'id'[20:42:09] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'[20:42:14] [INFO] GET parameter 'id' seems to be 'AND boolean-based blind - WHERE or HAVING clause' injectable <with --string="0.0001">[20:42:18] [INFO] heuristic <extended> test shows that the back-end DBMS could be 'Firebird'do you want to include all tests for 'Firebird' extending provided level <1> and risk <1>? [Y/n] y[20:42:26] [INFO] checking if the injection point on GET parameter 'id' is a false positive[20:42:27] [WARNING] false positive or unexploitable injection point detected[20:42:27] [WARNING] there is a possibility that the character '>' is filtered by the back-end server. You can try to rerun with '--tamper=between'[20:42:27] [WARNING] GET parameter 'id' is not injectable[20:42:27] [CRITICAL] all teste parameters appear to be not injectable. Try to increase '--level'/'--risk' values to perform more tests. Rerun without providing the option '--technique'. Also, you can try to rerun by providing a valid value for option '--string' as perhaps the string you have choosen does not match exclusively True responses
[*] shutting down at 20:42:27 |
|
From: Miroslav S. <mir...@gm...> - 2013-06-12 04:02:32
|
Hi. It's a false positive. Kind regards, Miroslav Stampar On Jun 12, 2013 2:42 AM, "Jonatah Romero" <jon...@ho...> wrote: > Hello guys, i made 3 attempts injection, all 3 have unequal information, > one said there was no injection, the other said through heuristics to be > Firebird DBMS, and the DBMS be another SAP MaxDB. I also tested it with > --tamper, and --string, as stated sqlmap, stated that it was a false > positive. It would be a bug or error? > > Love information, more and more, I'm hungry :-). > > > sqlmap.py -u "https://website/action/link?id=value" --fingerprint > --threads=10 --technique=B > > sqlmap/1.0-dev-42a8234 - automatic SQL injection and database takeover > tool > http://sqlmap.org > > [!] legal disclaimer: Usage of sqlmap for attacking targets without prior > mutual consent is illegal. It is the end user' > s responsibility to obey all applicable local, state and federal laws. > Developers assume no liability and are not respon > sible for any misuse or damage caused by this program > > [*] starting at 20:42:06 > > [20:42:06] [INFO] testing connection to the target URL > [20:42:06] [INFO] heuristics detected web page charset 'ascii' > [20:42:06] [INFO] testing if the target URL is stable. This can take a > coulpe of seconds > [20:42:08] [INFO] testing if GET parameter 'id' is dynamic > [20:42:08] [WARNING] GET parameter 'id' does not appear dynamic > [20:42:09] [WARNING] heuristic <basic> test shows that GET parameter 'id' > might not be injectable > [20:42:09] [INFO] testing for SQL injection on GET parameter 'id' > [20:42:09] [INFO] testing 'AND boolean-based blind - WHERE or HAVING > clause' > [20:42:14] [INFO] GET parameter 'id' seems to be 'AND boolean-based blind > - WHERE or HAVING clause' injectable <with --string="0.0001"> > [20:42:18] [INFO] heuristic <extended> test shows that the back-end DBMS > could be 'Firebird' > do you want to include all tests for 'Firebird' extending provided level > <1> and risk <1>? [Y/n] y > [20:42:26] [INFO] checking if the injection point on GET parameter 'id' is > a false positive > [20:42:27] [WARNING] false positive or unexploitable injection point > detected > [20:42:27] [WARNING] there is a possibility that the character '>' is > filtered by the back-end server. You can try to rerun with > '--tamper=between' > [20:42:27] [WARNING] GET parameter 'id' is not injectable > [20:42:27] [CRITICAL] all teste parameters appear to be not injectable. > Try to increase '--level'/'--risk' values to perform more tests. Rerun > without providing the option '--technique'. Also, you can try to rerun by > providing a valid value for option '--string' as perhaps the string you > have choosen does not match exclusively True responses > > [*] shutting down at 20:42:27 > > > ------------------------------------------------------------------------------ > This SF.net email is sponsored by Windows: > > Build for Windows Store. > > http://p.sf.net/sfu/windows-dev2dev > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > > |
|
From: Jonatah R. <jon...@ho...> - 2013-06-12 19:12:55
|
It is a false positive because of filters sanitize, or some function decode () making sure the ID explicitly safe? Or some other reason?
Date: Wed, 12 Jun 2013 06:02:23 +0200
Subject: Re: [sqlmap-users] error or bug
From: mir...@gm...
To: jon...@ho...
CC: sql...@li...
Hi.
It's a false positive.
Kind regards,
Miroslav Stampar
On Jun 12, 2013 2:42 AM, "Jonatah Romero" <jon...@ho...> wrote:
Hello guys, i made 3 attempts injection, all 3 have unequal information, one said there was no injection, the other said through heuristics to be Firebird DBMS, and the DBMS be another SAP MaxDB. I also tested it with --tamper, and --string, as stated sqlmap, stated that it was a false positive. It would be a bug or error?
Love information, more and more, I'm hungry :-).
sqlmap.py -u "https://website/action/link?id=value" --fingerprint --threads=10 --technique=B
sqlmap/1.0-dev-42a8234 - automatic SQL injection and database takeover tool http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user'
s responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting at 20:42:06
[20:42:06] [INFO] testing connection to the target URL[20:42:06] [INFO] heuristics detected web page charset 'ascii'[20:42:06] [INFO] testing if the target URL is stable. This can take a coulpe of seconds
[20:42:08] [INFO] testing if GET parameter 'id' is dynamic[20:42:08] [WARNING] GET parameter 'id' does not appear dynamic[20:42:09] [WARNING] heuristic <basic> test shows that GET parameter 'id' might not be injectable
[20:42:09] [INFO] testing for SQL injection on GET parameter 'id'[20:42:09] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'[20:42:14] [INFO] GET parameter 'id' seems to be 'AND boolean-based blind - WHERE or HAVING clause' injectable <with --string="0.0001">
[20:42:18] [INFO] heuristic <extended> test shows that the back-end DBMS could be 'Firebird'do you want to include all tests for 'Firebird' extending provided level <1> and risk <1>? [Y/n] y
[20:42:26] [INFO] checking if the injection point on GET parameter 'id' is a false positive[20:42:27] [WARNING] false positive or unexploitable injection point detected[20:42:27] [WARNING] there is a possibility that the character '>' is filtered by the back-end server. You can try to rerun with '--tamper=between'
[20:42:27] [WARNING] GET parameter 'id' is not injectable[20:42:27] [CRITICAL] all teste parameters appear to be not injectable. Try to increase '--level'/'--risk' values to perform more tests. Rerun without providing the option '--technique'. Also, you can try to rerun by providing a valid value for option '--string' as perhaps the string you have choosen does not match exclusively True responses
[*] shutting down at 20:42:27
------------------------------------------------------------------------------
This SF.net email is sponsored by Windows:
Build for Windows Store.
http://p.sf.net/sfu/windows-dev2dev
_______________________________________________
sqlmap-users mailing list
sql...@li...
https://lists.sourceforge.net/lists/listinfo/sqlmap-users
|
|
From: Miroslav S. <mir...@gm...> - 2013-06-12 20:19:18
|
Most probably it has a dynamic content inside (changing between each response). I can't tell you more because I don't know the details about the target. Kind regards, Miroslav Stampar On Jun 12, 2013 9:13 PM, "Jonatah Romero" <jon...@ho...> wrote: > It is a false positive because of filters sanitize, or some function > decode () making sure the ID explicitly safe? Or some other reason? > > ------------------------------ > Date: Wed, 12 Jun 2013 06:02:23 +0200 > Subject: Re: [sqlmap-users] error or bug > From: mir...@gm... > To: jon...@ho... > CC: sql...@li... > > Hi. > > It's a false positive. > > Kind regards, > Miroslav Stampar > On Jun 12, 2013 2:42 AM, "Jonatah Romero" <jon...@ho...> > wrote: > > Hello guys, i made 3 attempts injection, all 3 have unequal information, > one said there was no injection, the other said through heuristics to be > Firebird DBMS, and the DBMS be another SAP MaxDB. I also tested it with > --tamper, and --string, as stated sqlmap, stated that it was a false > positive. It would be a bug or error? > > Love information, more and more, I'm hungry :-). > > > sqlmap.py -u "https://website/action/link?id=value" --fingerprint > --threads=10 --technique=B > > sqlmap/1.0-dev-42a8234 - automatic SQL injection and database takeover > tool > http://sqlmap.org > > [!] legal disclaimer: Usage of sqlmap for attacking targets without prior > mutual consent is illegal. It is the end user' > s responsibility to obey all applicable local, state and federal laws. > Developers assume no liability and are not respon > sible for any misuse or damage caused by this program > > [*] starting at 20:42:06 > > [20:42:06] [INFO] testing connection to the target URL > [20:42:06] [INFO] heuristics detected web page charset 'ascii' > [20:42:06] [INFO] testing if the target URL is stable. This can take a > coulpe of seconds > [20:42:08] [INFO] testing if GET parameter 'id' is dynamic > [20:42:08] [WARNING] GET parameter 'id' does not appear dynamic > [20:42:09] [WARNING] heuristic <basic> test shows that GET parameter 'id' > might not be injectable > [20:42:09] [INFO] testing for SQL injection on GET parameter 'id' > [20:42:09] [INFO] testing 'AND boolean-based blind - WHERE or HAVING > clause' > [20:42:14] [INFO] GET parameter 'id' seems to be 'AND boolean-based blind > - WHERE or HAVING clause' injectable <with --string="0.0001"> > [20:42:18] [INFO] heuristic <extended> test shows that the back-end DBMS > could be 'Firebird' > do you want to include all tests for 'Firebird' extending provided level > <1> and risk <1>? [Y/n] y > [20:42:26] [INFO] checking if the injection point on GET parameter 'id' is > a false positive > [20:42:27] [WARNING] false positive or unexploitable injection point > detected > [20:42:27] [WARNING] there is a possibility that the character '>' is > filtered by the back-end server. You can try to rerun with > '--tamper=between' > [20:42:27] [WARNING] GET parameter 'id' is not injectable > [20:42:27] [CRITICAL] all teste parameters appear to be not injectable. > Try to increase '--level'/'--risk' values to perform more tests. Rerun > without providing the option '--technique'. Also, you can try to rerun by > providing a valid value for option '--string' as perhaps the string you > have choosen does not match exclusively True responses > > [*] shutting down at 20:42:27 > > > ------------------------------------------------------------------------------ > This SF.net email is sponsored by Windows: > > Build for Windows Store. > > http://p.sf.net/sfu/windows-dev2dev > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > > > > ------------------------------------------------------------------------------ > This SF.net email is sponsored by Windows: > > Build for Windows Store. > > http://p.sf.net/sfu/windows-dev2dev > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > > |
|
From: Jonatah R. <jon...@ho...> - 2013-06-12 22:36:33
|
Okay, the target, when accessed without setting value for the ID, or removing it, the browser, for example: www.target.com /action/ link.php shows two errors, "Undefined index: id in on line 5," and "Call to undefined function decode () in on line 5", note that a function decode () is invoked to handle the GET parameter, and is precisely this function that is making the injection a false positive, I think. I thought enough of something to get around it, including, I believe, some to use this form of defense against sql injection. Date: Wed, 12 Jun 2013 22:19:07 +0200 Subject: Re: [sqlmap-users] error or bug From: mir...@gm... To: jon...@ho... CC: sql...@li... Most probably it has a dynamic content inside (changing between each response). I can't tell you more because I don't know the details about the target. Kind regards, Miroslav Stampar On Jun 12, 2013 9:13 PM, "Jonatah Romero" <jon...@ho...> wrote: It is a false positive because of filters sanitize, or some function decode () making sure the ID explicitly safe? Or some other reason? Date: Wed, 12 Jun 2013 06:02:23 +0200 Subject: Re: [sqlmap-users] error or bug From: mir...@gm... To: jon...@ho... CC: sql...@li... Hi. It's a false positive. Kind regards, Miroslav Stampar On Jun 12, 2013 2:42 AM, "Jonatah Romero" <jon...@ho...> wrote: Hello guys, i made 3 attempts injection, all 3 have unequal information, one said there was no injection, the other said through heuristics to be Firebird DBMS, and the DBMS be another SAP MaxDB. I also tested it with --tamper, and --string, as stated sqlmap, stated that it was a false positive. It would be a bug or error? Love information, more and more, I'm hungry :-). sqlmap.py -u "https://website/action/link?id=value" --fingerprint --threads=10 --technique=B sqlmap/1.0-dev-42a8234 - automatic SQL injection and database takeover tool http://sqlmap.org [!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user' s responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program [*] starting at 20:42:06 [20:42:06] [INFO] testing connection to the target URL[20:42:06] [INFO] heuristics detected web page charset 'ascii'[20:42:06] [INFO] testing if the target URL is stable. This can take a coulpe of seconds [20:42:08] [INFO] testing if GET parameter 'id' is dynamic[20:42:08] [WARNING] GET parameter 'id' does not appear dynamic[20:42:09] [WARNING] heuristic <basic> test shows that GET parameter 'id' might not be injectable [20:42:09] [INFO] testing for SQL injection on GET parameter 'id'[20:42:09] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'[20:42:14] [INFO] GET parameter 'id' seems to be 'AND boolean-based blind - WHERE or HAVING clause' injectable <with --string="0.0001"> [20:42:18] [INFO] heuristic <extended> test shows that the back-end DBMS could be 'Firebird'do you want to include all tests for 'Firebird' extending provided level <1> and risk <1>? [Y/n] y [20:42:26] [INFO] checking if the injection point on GET parameter 'id' is a false positive[20:42:27] [WARNING] false positive or unexploitable injection point detected[20:42:27] [WARNING] there is a possibility that the character '>' is filtered by the back-end server. You can try to rerun with '--tamper=between' [20:42:27] [WARNING] GET parameter 'id' is not injectable[20:42:27] [CRITICAL] all teste parameters appear to be not injectable. Try to increase '--level'/'--risk' values to perform more tests. Rerun without providing the option '--technique'. Also, you can try to rerun by providing a valid value for option '--string' as perhaps the string you have choosen does not match exclusively True responses [*] shutting down at 20:42:27 ------------------------------------------------------------------------------ This SF.net email is sponsored by Windows: Build for Windows Store. http://p.sf.net/sfu/windows-dev2dev _______________________________________________ sqlmap-users mailing list sql...@li... https://lists.sourceforge.net/lists/listinfo/sqlmap-users ------------------------------------------------------------------------------ This SF.net email is sponsored by Windows: Build for Windows Store. http://p.sf.net/sfu/windows-dev2dev _______________________________________________ sqlmap-users mailing list sql...@li... https://lists.sourceforge.net/lists/listinfo/sqlmap-users |
|
From: Miroslav S. <mir...@gm...> - 2013-06-13 15:23:37
|
Could you please send me a content of traffic file for normal sqlmap run? Just use -u .... --flush-session -t traffic.txt Kind regards, Miroslav Stampar On Jun 13, 2013 12:37 AM, "Jonatah Romero" <jon...@ho...> wrote: > Okay, the target, when accessed without setting value for the ID, or > removing it, the browser, for example: > > www.target.com /action/ link.php > > shows two errors, "Undefined index: id in on line 5," and "Call to > undefined function decode () in on line 5", note that a function decode () > is invoked to handle the GET parameter, and is precisely this function that > is making the injection a false positive, I think. I thought enough of > something to get around it, including, I believe, some to use this form of > defense against sql injection. > > ------------------------------ > Date: Wed, 12 Jun 2013 22:19:07 +0200 > Subject: Re: [sqlmap-users] error or bug > From: mir...@gm... > To: jon...@ho... > CC: sql...@li... > > Most probably it has a dynamic content inside (changing between each > response). I can't tell you more because I don't know the details about the > target. > > Kind regards, > Miroslav Stampar > On Jun 12, 2013 9:13 PM, "Jonatah Romero" <jon...@ho...> > wrote: > > It is a false positive because of filters sanitize, or some function > decode () making sure the ID explicitly safe? Or some other reason? > > ------------------------------ > Date: Wed, 12 Jun 2013 06:02:23 +0200 > Subject: Re: [sqlmap-users] error or bug > From: mir...@gm... > To: jon...@ho... > CC: sql...@li... > > Hi. > > It's a false positive. > > Kind regards, > Miroslav Stampar > On Jun 12, 2013 2:42 AM, "Jonatah Romero" <jon...@ho...> > wrote: > > Hello guys, i made 3 attempts injection, all 3 have unequal information, > one said there was no injection, the other said through heuristics to be > Firebird DBMS, and the DBMS be another SAP MaxDB. I also tested it with > --tamper, and --string, as stated sqlmap, stated that it was a false > positive. It would be a bug or error? > > Love information, more and more, I'm hungry :-). > > > sqlmap.py -u "https://website/action/link?id=value" --fingerprint > --threads=10 --technique=B > > sqlmap/1.0-dev-42a8234 - automatic SQL injection and database takeover > tool > http://sqlmap.org > > [!] legal disclaimer: Usage of sqlmap for attacking targets without prior > mutual consent is illegal. It is the end user' > s responsibility to obey all applicable local, state and federal laws. > Developers assume no liability and are not respon > sible for any misuse or damage caused by this program > > [*] starting at 20:42:06 > > [20:42:06] [INFO] testing connection to the target URL > [20:42:06] [INFO] heuristics detected web page charset 'ascii' > [20:42:06] [INFO] testing if the target URL is stable. This can take a > coulpe of seconds > [20:42:08] [INFO] testing if GET parameter 'id' is dynamic > [20:42:08] [WARNING] GET parameter 'id' does not appear dynamic > [20:42:09] [WARNING] heuristic <basic> test shows that GET parameter 'id' > might not be injectable > [20:42:09] [INFO] testing for SQL injection on GET parameter 'id' > [20:42:09] [INFO] testing 'AND boolean-based blind - WHERE or HAVING > clause' > [20:42:14] [INFO] GET parameter 'id' seems to be 'AND boolean-based blind > - WHERE or HAVING clause' injectable <with --string="0.0001"> > [20:42:18] [INFO] heuristic <extended> test shows that the back-end DBMS > could be 'Firebird' > do you want to include all tests for 'Firebird' extending provided level > <1> and risk <1>? [Y/n] y > [20:42:26] [INFO] checking if the injection point on GET parameter 'id' is > a false positive > [20:42:27] [WARNING] false positive or unexploitable injection point > detected > [20:42:27] [WARNING] there is a possibility that the character '>' is > filtered by the back-end server. You can try to rerun with > '--tamper=between' > [20:42:27] [WARNING] GET parameter 'id' is not injectable > [20:42:27] [CRITICAL] all teste parameters appear to be not injectable. > Try to increase '--level'/'--risk' values to perform more tests. Rerun > without providing the option '--technique'. Also, you can try to rerun by > providing a valid value for option '--string' as perhaps the string you > have choosen does not match exclusively True responses > > [*] shutting down at 20:42:27 > > > ------------------------------------------------------------------------------ > This SF.net email is sponsored by Windows: > > Build for Windows Store. > > http://p.sf.net/sfu/windows-dev2dev > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > > > > ------------------------------------------------------------------------------ > This SF.net email is sponsored by Windows: > > Build for Windows Store. > > http://p.sf.net/sfu/windows-dev2dev > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > > > > ------------------------------------------------------------------------------ > This SF.net email is sponsored by Windows: > > Build for Windows Store. > > http://p.sf.net/sfu/windows-dev2dev > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > > |
×
Want the latest updates on software, tech news, and AI?
Get latest updates about software, tech news, and AI from SourceForge directly in your inbox once a month.
Thanks for helping keep SourceForge clean.
X