Discussion:
[sqlmap-users] Problem with a Login
Daniele Bianchin
2016-12-04 14:06:02 UTC
Permalink
Hi!
I have an issue with sqlmap.
I created my own fake login in order to test blind sql injection but
everytime i make a test sqlmap says it isn't exploitable.
I tried to add a suffix, set level to 5, set risk to 3, set not-string
option but sqlmap still not work with it.
The login source is: http://pastebin.com/xzKZJNB1

I tried to inject some payloads manually such as ' OR 1=1#, ' UNION ALL
SELECT NULL;NULL #, etc... and they work.
What should i do?

Thanks in advance!


Daniele.
Brandon Perry
2016-12-04 14:24:24 UTC
Permalink
What command and arguments are you using exactly?

Sent from a phone
Post by Daniele Bianchin
Hi!
I have an issue with sqlmap.
I created my own fake login in order to test blind sql injection but everytime i make a test sqlmap says it isn't exploitable.
I tried to add a suffix, set level to 5, set risk to 3, set not-string option but sqlmap still not work with it.
The login source is: http://pastebin.com/xzKZJNB1
I tried to inject some payloads manually such as ' OR 1=1#, ' UNION ALL SELECT NULL;NULL #, etc... and they work.
What should i do?
Thanks in advance!
Daniele.
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
sqlmap-users mailing list
https://lists.sourceforge.net/lists/listinfo/sqlmap-users
Miroslav Stampar
2016-12-04 14:27:59 UTC
Permalink
This is a straigthforward case. You are messing something up.

Use username=foobar&password=foobar in POST data. Don't put already SQLi
payload anywhere. Use --level=3 --risk=3

As said, you are doing something really really wrong here.

Bye
Post by Daniele Bianchin
Hi!
I have an issue with sqlmap.
I created my own fake login in order to test blind sql injection but
everytime i make a test sqlmap says it isn't exploitable.
I tried to add a suffix, set level to 5, set risk to 3, set not-string
option but sqlmap still not work with it.
The login source is: http://pastebin.com/xzKZJNB1
I tried to inject some payloads manually such as ' OR 1=1#, ' UNION ALL
SELECT NULL;NULL #, etc... and they work.
What should i do?
Thanks in advance!
Daniele.
------------------------------------------------------------
------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
sqlmap-users mailing list
https://lists.sourceforge.net/lists/listinfo/sqlmap-users
--
Miroslav Stampar
http://about.me/stamparm
Brandon Perry
2016-12-04 14:39:07 UTC
Permalink
You can add —proxy and make sqlmap pass all requests through burpsuite or another proxy so you can see what the difference is between the requests sqlmap creates and the ones you make by hand are.
Post by Miroslav Stampar
This is a straigthforward case. You are messing something up.
Use username=foobar&password=foobar in POST data. Don't put already SQLi payload anywhere. Use --level=3 --risk=3
As said, you are doing something really really wrong here.
Bye
Hi!
I have an issue with sqlmap.
I created my own fake login in order to test blind sql injection but everytime i make a test sqlmap says it isn't exploitable.
I tried to add a suffix, set level to 5, set risk to 3, set not-string option but sqlmap still not work with it.
The login source is: http://pastebin.com/xzKZJNB1 <http://pastebin.com/xzKZJNB1>
I tried to inject some payloads manually such as ' OR 1=1#, ' UNION ALL SELECT NULL;NULL #, etc... and they work.
What should i do?
Thanks in advance!
Daniele.
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot <http://sdm.link/slashdot>
_______________________________________________
sqlmap-users mailing list
https://lists.sourceforge.net/lists/listinfo/sqlmap-users <https://lists.sourceforge.net/lists/listinfo/sqlmap-users>
--
Miroslav Stampar
http://about.me/stamparm <http://about.me/stamparm>------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot_______________________________________________
sqlmap-users mailing list
https://lists.sourceforge.net/lists/listinfo/sqlmap-users
Daniele Bianchin
2016-12-04 15:46:21 UTC
Permalink
Ok, i made a test with BurpSuite as Brandon said.
I tried to inject lol'UNION ALL SELECT NULL,NULL# manually and it worked.
The same payload with sqlmap not.

This is what BurpSuite shows: http://pastebin.com/6ifKNX9k

the first is made manually with firefox the second with sqlmap...
should i change user-agent in sqlmap?
Ok, i made a test with BurpSuite as Brandon said.
I tried to inject lol'UNION ALL SELECT NULL,NULL# manually and it worked.
The same payload with sqlmap not.
This is what BurpSuite shows: http://pastebin.com/6ifKNX9k
the first is made manually with firefox the second with sqlmap...
should i change user-agent in sqlmap?
Post by Brandon Perry
You can add —proxy and make sqlmap pass all requests through burpsuite or
another proxy so you can see what the difference is between the requests
sqlmap creates and the ones you make by hand are.
This is a straigthforward case. You are messing something up.
Use username=foobar&password=foobar in POST data. Don't put already SQLi
payload anywhere. Use --level=3 --risk=3
As said, you are doing something really really wrong here.
Bye
Post by Daniele Bianchin
Hi!
I have an issue with sqlmap.
I created my own fake login in order to test blind sql injection but
everytime i make a test sqlmap says it isn't exploitable.
I tried to add a suffix, set level to 5, set risk to 3, set not-string
option but sqlmap still not work with it.
The login source is: http://pastebin.com/xzKZJNB1
I tried to inject some payloads manually such as ' OR 1=1#, ' UNION ALL
SELECT NULL;NULL #, etc... and they work.
What should i do?
Thanks in advance!
Daniele.
------------------------------------------------------------
------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org <http://slashdot.org>!
http://sdm.link/slashdot
_______________________________________________
sqlmap-users mailing list
https://lists.sourceforge.net/lists/listinfo/sqlmap-users
--
Miroslav Stampar
http://about.me/stamparm
------------------------------------------------------------
------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org <http://slashdot.org>!
http://sdm.link/slashdot_______________________________________________
sqlmap-users mailing list
https://lists.sourceforge.net/lists/listinfo/sqlmap-users
Miroslav Stampar
2016-12-04 15:50:52 UTC
Permalink
I am kind of confused. You said that it's your application, right? Why
would your application care about UA. Also, you've sent source code which
hasn't looked into UA

Bye
Post by Daniele Bianchin
Ok, i made a test with BurpSuite as Brandon said.
I tried to inject lol'UNION ALL SELECT NULL,NULL# manually and it worked.
The same payload with sqlmap not.
This is what BurpSuite shows: http://pastebin.com/6ifKNX9k
the first is made manually with firefox the second with sqlmap...
should i change user-agent in sqlmap?
Post by Daniele Bianchin
Ok, i made a test with BurpSuite as Brandon said.
I tried to inject lol'UNION ALL SELECT NULL,NULL# manually and it worked.
The same payload with sqlmap not.
This is what BurpSuite shows: http://pastebin.com/6ifKNX9k
the first is made manually with firefox the second with sqlmap...
should i change user-agent in sqlmap?
Post by Brandon Perry
You can add —proxy and make sqlmap pass all requests through burpsuite
or another proxy so you can see what the difference is between the requests
sqlmap creates and the ones you make by hand are.
This is a straigthforward case. You are messing something up.
Use username=foobar&password=foobar in POST data. Don't put already
SQLi payload anywhere. Use --level=3 --risk=3
As said, you are doing something really really wrong here.
Bye
Post by Daniele Bianchin
Hi!
I have an issue with sqlmap.
I created my own fake login in order to test blind sql injection but
everytime i make a test sqlmap says it isn't exploitable.
I tried to add a suffix, set level to 5, set risk to 3, set not-string
option but sqlmap still not work with it.
The login source is: http://pastebin.com/xzKZJNB1
I tried to inject some payloads manually such as ' OR 1=1#, ' UNION ALL
SELECT NULL;NULL #, etc... and they work.
What should i do?
Thanks in advance!
Daniele.
------------------------------------------------------------
------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org <http://slashdot.org>!
http://sdm.link/slashdot
_______________________________________________
sqlmap-users mailing list
https://lists.sourceforge.net/lists/listinfo/sqlmap-users
--
Miroslav Stampar
http://about.me/stamparm
------------------------------------------------------------
------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org <http://slashdot.org>!
http://sdm.link/slashdot_______________________________________________
sqlmap-users mailing list
https://lists.sourceforge.net/lists/listinfo/sqlmap-users
------------------------------------------------------------
------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
sqlmap-users mailing list
https://lists.sourceforge.net/lists/listinfo/sqlmap-users
Daniele Bianchin
2016-12-04 15:57:23 UTC
Permalink
@Miroslav. What UA does it mean?

@Brandon tried with sqlmap -u "127.0.0.1/test/Login.php"
--data="user=lol&password=lol" --dbs --suffix="#" -v 3 --tamper=space2plus
and didn't work.
Post by Miroslav Stampar
I am kind of confused. You said that it's your application, right? Why
would your application care about UA. Also, you've sent source code which
hasn't looked into UA
Bye
Post by Daniele Bianchin
Ok, i made a test with BurpSuite as Brandon said.
I tried to inject lol'UNION ALL SELECT NULL,NULL# manually and it worked.
The same payload with sqlmap not.
This is what BurpSuite shows: http://pastebin.com/6ifKNX9k
the first is made manually with firefox the second with sqlmap...
should i change user-agent in sqlmap?
Post by Daniele Bianchin
Ok, i made a test with BurpSuite as Brandon said.
I tried to inject lol'UNION ALL SELECT NULL,NULL# manually and it worked.
The same payload with sqlmap not.
This is what BurpSuite shows: http://pastebin.com/6ifKNX9k
the first is made manually with firefox the second with sqlmap...
should i change user-agent in sqlmap?
Post by Brandon Perry
You can add —proxy and make sqlmap pass all requests through burpsuite
or another proxy so you can see what the difference is between the requests
sqlmap creates and the ones you make by hand are.
On Dec 4, 2016, at 8:27 AM, Miroslav Stampar <
This is a straigthforward case. You are messing something up.
Use username=foobar&password=foobar in POST data. Don't put already
SQLi payload anywhere. Use --level=3 --risk=3
As said, you are doing something really really wrong here.
Bye
Post by Daniele Bianchin
Hi!
I have an issue with sqlmap.
I created my own fake login in order to test blind sql injection but
everytime i make a test sqlmap says it isn't exploitable.
I tried to add a suffix, set level to 5, set risk to 3, set not-string
option but sqlmap still not work with it.
The login source is: http://pastebin.com/xzKZJNB1
I tried to inject some payloads manually such as ' OR 1=1#, ' UNION
ALL SELECT NULL;NULL #, etc... and they work.
What should i do?
Thanks in advance!
Daniele.
------------------------------------------------------------
------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org <http://slashdot.org>!
http://sdm.link/slashdot
_______________________________________________
sqlmap-users mailing list
https://lists.sourceforge.net/lists/listinfo/sqlmap-users
--
Miroslav Stampar
http://about.me/stamparm
------------------------------------------------------------
------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org <http://slashdot.org>!
http://sdm.link/slashdot_______________________________________________
sqlmap-users mailing list
https://lists.sourceforge.net/lists/listinfo/sqlmap-users
------------------------------------------------------------
------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
sqlmap-users mailing list
https://lists.sourceforge.net/lists/listinfo/sqlmap-users
Miroslav Stampar
2016-12-04 15:57:56 UTC
Permalink
UA == User-Agent
Post by Daniele Bianchin
@Miroslav. What UA does it mean?
@Brandon tried with sqlmap -u "127.0.0.1/test/Login.php"
--data="user=lol&password=lol" --dbs --suffix="#" -v 3 --tamper=space2plus
and didn't work.
Post by Miroslav Stampar
I am kind of confused. You said that it's your application, right? Why
would your application care about UA. Also, you've sent source code which
hasn't looked into UA
Bye
Post by Daniele Bianchin
Ok, i made a test with BurpSuite as Brandon said.
I tried to inject lol'UNION ALL SELECT NULL,NULL# manually and it worked.
The same payload with sqlmap not.
This is what BurpSuite shows: http://pastebin.com/6ifKNX9k
the first is made manually with firefox the second with sqlmap...
should i change user-agent in sqlmap?
Post by Daniele Bianchin
Ok, i made a test with BurpSuite as Brandon said.
I tried to inject lol'UNION ALL SELECT NULL,NULL# manually and it worked.
The same payload with sqlmap not.
This is what BurpSuite shows: http://pastebin.com/6ifKNX9k
the first is made manually with firefox the second with sqlmap...
should i change user-agent in sqlmap?
Post by Brandon Perry
You can add —proxy and make sqlmap pass all requests through burpsuite
or another proxy so you can see what the difference is between the requests
sqlmap creates and the ones you make by hand are.
On Dec 4, 2016, at 8:27 AM, Miroslav Stampar <
This is a straigthforward case. You are messing something up.
Use username=foobar&password=foobar in POST data. Don't put already
SQLi payload anywhere. Use --level=3 --risk=3
As said, you are doing something really really wrong here.
Bye
Post by Daniele Bianchin
Hi!
I have an issue with sqlmap.
I created my own fake login in order to test blind sql injection but
everytime i make a test sqlmap says it isn't exploitable.
I tried to add a suffix, set level to 5, set risk to 3, set
not-string option but sqlmap still not work with it.
The login source is: http://pastebin.com/xzKZJNB1
I tried to inject some payloads manually such as ' OR 1=1#, ' UNION
ALL SELECT NULL;NULL #, etc... and they work.
What should i do?
Thanks in advance!
Daniele.
------------------------------------------------------------
------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org <http://slashdot.org>!
http://sdm.link/slashdot
_______________________________________________
sqlmap-users mailing list
https://lists.sourceforge.net/lists/listinfo/sqlmap-users
--
Miroslav Stampar
http://about.me/stamparm
------------------------------------------------------------
------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org <http://slashdot.org>!
http://sdm.link/slashdot____________________________________
___________
sqlmap-users mailing list
https://lists.sourceforge.net/lists/listinfo/sqlmap-users
------------------------------------------------------------
------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
sqlmap-users mailing list
https://lists.sourceforge.net/lists/listinfo/sqlmap-users
Daniele Bianchin
2016-12-04 16:00:27 UTC
Permalink
@Miroslav Ah ok...i don't know i tried everything...
Post by Miroslav Stampar
UA == User-Agent
Post by Daniele Bianchin
@Miroslav. What UA does it mean?
@Brandon tried with sqlmap -u "127.0.0.1/test/Login.php"
--data="user=lol&password=lol" --dbs --suffix="#" -v 3 --tamper=space2plus
and didn't work.
Post by Miroslav Stampar
I am kind of confused. You said that it's your application, right? Why
would your application care about UA. Also, you've sent source code which
hasn't looked into UA
Bye
Post by Daniele Bianchin
Ok, i made a test with BurpSuite as Brandon said.
I tried to inject lol'UNION ALL SELECT NULL,NULL# manually and it worked.
The same payload with sqlmap not.
This is what BurpSuite shows: http://pastebin.com/6ifKNX9k
the first is made manually with firefox the second with sqlmap...
should i change user-agent in sqlmap?
Post by Daniele Bianchin
Ok, i made a test with BurpSuite as Brandon said.
I tried to inject lol'UNION ALL SELECT NULL,NULL# manually and it worked.
The same payload with sqlmap not.
This is what BurpSuite shows: http://pastebin.com/6ifKNX9k
the first is made manually with firefox the second with sqlmap...
should i change user-agent in sqlmap?
Post by Brandon Perry
You can add —proxy and make sqlmap pass all requests through
burpsuite or another proxy so you can see what the difference is between
the requests sqlmap creates and the ones you make by hand are.
On Dec 4, 2016, at 8:27 AM, Miroslav Stampar <
This is a straigthforward case. You are messing something up.
Use username=foobar&password=foobar in POST data. Don't put already
SQLi payload anywhere. Use --level=3 --risk=3
As said, you are doing something really really wrong here.
Bye
On Sun, Dec 4, 2016 at 3:06 PM, Daniele Bianchin <
Post by Daniele Bianchin
Hi!
I have an issue with sqlmap.
I created my own fake login in order to test blind sql injection but
everytime i make a test sqlmap says it isn't exploitable.
I tried to add a suffix, set level to 5, set risk to 3, set
not-string option but sqlmap still not work with it.
The login source is: http://pastebin.com/xzKZJNB1
I tried to inject some payloads manually such as ' OR 1=1#, ' UNION
ALL SELECT NULL;NULL #, etc... and they work.
What should i do?
Thanks in advance!
Daniele.
------------------------------------------------------------
------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org <http://slashdot.org>!
http://sdm.link/slashdot
_______________________________________________
sqlmap-users mailing list
https://lists.sourceforge.net/lists/listinfo/sqlmap-users
--
Miroslav Stampar
http://about.me/stamparm
------------------------------------------------------------
------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org <http://slashdot.org>!
http://sdm.link/slashdot____________________________________
___________
sqlmap-users mailing list
https://lists.sourceforge.net/lists/listinfo/sqlmap-users
------------------------------------------------------------
------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
sqlmap-users mailing list
https://lists.sourceforge.net/lists/listinfo/sqlmap-users
Daniele Bianchin
2016-12-04 16:10:17 UTC
Permalink
anyway...colud anyone take the source and try himself?

If it can help i'm using phpv7.0 with php-mysql libraries
Post by Daniele Bianchin
@Miroslav Ah ok...i don't know i tried everything...
Post by Miroslav Stampar
UA == User-Agent
Post by Daniele Bianchin
@Miroslav. What UA does it mean?
@Brandon tried with sqlmap -u "127.0.0.1/test/Login.php"
--data="user=lol&password=lol" --dbs --suffix="#" -v 3 --tamper=space2plus
and didn't work.
Post by Miroslav Stampar
I am kind of confused. You said that it's your application, right? Why
would your application care about UA. Also, you've sent source code which
hasn't looked into UA
Bye
Post by Daniele Bianchin
Ok, i made a test with BurpSuite as Brandon said.
I tried to inject lol'UNION ALL SELECT NULL,NULL# manually and it worked.
The same payload with sqlmap not.
This is what BurpSuite shows: http://pastebin.com/6ifKNX9k
the first is made manually with firefox the second with sqlmap...
should i change user-agent in sqlmap?
Post by Daniele Bianchin
Ok, i made a test with BurpSuite as Brandon said.
I tried to inject lol'UNION ALL SELECT NULL,NULL# manually and it worked.
The same payload with sqlmap not.
This is what BurpSuite shows: http://pastebin.com/6ifKNX9k
the first is made manually with firefox the second with sqlmap...
should i change user-agent in sqlmap?
Post by Brandon Perry
You can add —proxy and make sqlmap pass all requests through
burpsuite or another proxy so you can see what the difference is between
the requests sqlmap creates and the ones you make by hand are.
On Dec 4, 2016, at 8:27 AM, Miroslav Stampar <
This is a straigthforward case. You are messing something up.
Use username=foobar&password=foobar in POST data. Don't put already
SQLi payload anywhere. Use --level=3 --risk=3
As said, you are doing something really really wrong here.
Bye
On Sun, Dec 4, 2016 at 3:06 PM, Daniele Bianchin <
Post by Daniele Bianchin
Hi!
I have an issue with sqlmap.
I created my own fake login in order to test blind sql injection
but everytime i make a test sqlmap says it isn't exploitable.
I tried to add a suffix, set level to 5, set risk to 3, set
not-string option but sqlmap still not work with it.
The login source is: http://pastebin.com/xzKZJNB1
I tried to inject some payloads manually such as ' OR 1=1#, ' UNION
ALL SELECT NULL;NULL #, etc... and they work.
What should i do?
Thanks in advance!
Daniele.
------------------------------------------------------------
------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org <http://slashdot.org>!
http://sdm.link/slashdot
_______________________________________________
sqlmap-users mailing list
https://lists.sourceforge.net/lists/listinfo/sqlmap-users
--
Miroslav Stampar
http://about.me/stamparm
------------------------------------------------------------
------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org <http://slashdot.org>!
http://sdm.link/slashdot____________________________________
___________
sqlmap-users mailing list
https://lists.sourceforge.net/lists/listinfo/sqlmap-users
------------------------------------------------------------
------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
sqlmap-users mailing list
https://lists.sourceforge.net/lists/listinfo/sqlmap-users
Daniele Bianchin
2016-12-04 17:00:11 UTC
Permalink
I found something: the problem is sqlmap don't know when query is true or
false. Because when it is true it's redirected to index.php, when it is
false Login.php shows an error message.

Is there a way to say "IF (you get redirected to index.php) THEN query is
true ELSE query is false" or "IF(Login.php shows a error) THEN query is
false ELSE query is true"?

I tried with no-string option but doesn't seem work.


​
Post by Daniele Bianchin
anyway...colud anyone take the source and try himself?
If it can help i'm using phpv7.0 with php-mysql libraries
Post by Daniele Bianchin
@Miroslav Ah ok...i don't know i tried everything...
Post by Miroslav Stampar
UA == User-Agent
Post by Daniele Bianchin
@Miroslav. What UA does it mean?
@Brandon tried with sqlmap -u "127.0.0.1/test/Login.php"
--data="user=lol&password=lol" --dbs --suffix="#" -v 3 --tamper=space2plus
and didn't work.
Post by Miroslav Stampar
I am kind of confused. You said that it's your application, right? Why
would your application care about UA. Also, you've sent source code which
hasn't looked into UA
Bye
Post by Daniele Bianchin
Ok, i made a test with BurpSuite as Brandon said.
I tried to inject lol'UNION ALL SELECT NULL,NULL# manually and it worked.
The same payload with sqlmap not.
This is what BurpSuite shows: http://pastebin.com/6ifKNX9k
the first is made manually with firefox the second with sqlmap...
should i change user-agent in sqlmap?
Post by Daniele Bianchin
Ok, i made a test with BurpSuite as Brandon said.
I tried to inject lol'UNION ALL SELECT NULL,NULL# manually and it worked.
The same payload with sqlmap not.
This is what BurpSuite shows: http://pastebin.com/6ifKNX9k
the first is made manually with firefox the second with sqlmap...
should i change user-agent in sqlmap?
Post by Brandon Perry
You can add —proxy and make sqlmap pass all requests through
burpsuite or another proxy so you can see what the difference is between
the requests sqlmap creates and the ones you make by hand are.
On Dec 4, 2016, at 8:27 AM, Miroslav Stampar <
This is a straigthforward case. You are messing something up.
Use username=foobar&password=foobar in POST data. Don't put
already SQLi payload anywhere. Use --level=3 --risk=3
As said, you are doing something really really wrong here.
Bye
On Sun, Dec 4, 2016 at 3:06 PM, Daniele Bianchin <
Post by Daniele Bianchin
Hi!
I have an issue with sqlmap.
I created my own fake login in order to test blind sql injection
but everytime i make a test sqlmap says it isn't exploitable.
I tried to add a suffix, set level to 5, set risk to 3, set
not-string option but sqlmap still not work with it.
The login source is: http://pastebin.com/xzKZJNB1
I tried to inject some payloads manually such as ' OR 1=1#, '
UNION ALL SELECT NULL;NULL #, etc... and they work.
What should i do?
Thanks in advance!
Daniele.
------------------------------------------------------------
------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org <http://slashdot.org>!
http://sdm.link/slashdot
_______________________________________________
sqlmap-users mailing list
https://lists.sourceforge.net/lists/listinfo/sqlmap-users
--
Miroslav Stampar
http://about.me/stamparm
------------------------------------------------------------
------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org <http://slashdot.org>!
http://sdm.link/slashdot____________________________________
___________
sqlmap-users mailing list
https://lists.sourceforge.net/lists/listinfo/sqlmap-users
------------------------------------------------------------
------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
sqlmap-users mailing list
https://lists.sourceforge.net/lists/listinfo/sqlmap-users
Loading...