It is probably not a good idea to attack http://www.siig.fr
-Patrick
On Fri, Sep 18, 2009 at 2:04 AM, Tristan Foureur
<tri...@gm...>wrote:
> Hello,
>
> I don't know why but a really really basic injection is not detected. The
> URL is like www.host.com?news_id=270&zone_id=4<http://www.host.com/?news_id=270&zone_id=4>and when I'm doing
>
> www.host.com?news_id=270&zone_id=4<http://www.host.com/?news_id=270&zone_id=4>OR 1 it displays every news, when I'm doing news_id=270 AND 0 it displays no
> news. When I'm doing news_id=270 THISISATEST it displays a mysql error.
>
> So it's definitely injectable and that's not a "rare" type of injection.
>
> Now I would like to learn to use sqlmap to find these injections and how to
> use it but when I'm doing this :
>
> sqlmap.exe -u "http://www.siig.fr/fr/consnews2.php?news_id=270&zone_id=4"
> -v 1
>
> It says that both news_id and zone_id aren't injectables ! I tried using
> the -p parameter like that : -p zone_id but it doesn't change anything.
>
> I don't think that sqlmap can't detect such basic injections, so could you
> tell me what is the proper parameters to detect something simple like that,
> and then how to exploit it ?
>
> Thanks :)
>
>
> ------------------------------------------------------------------------------
> Come build with us! The BlackBerry® Developer Conference in SF, CA
> is the only developer event you need to attend this year. Jumpstart your
> developing skills, take BlackBerry mobile applications to market and stay
> ahead of the curve. Join us from November 9-12, 2009. Register now!
> http://p.sf.net/sfu/devconf
> _______________________________________________
> sqlmap-users mailing list
> sql...@li...
> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>
>
|
