Hi James, On 8 May 2011 21:33, <ja...@ev6.net> wrote: > Hi, > > I was recently messing around with another scanner and I found an > injection I'd like to play around with in Sqlmap. > > The injection found is a POST to something.asp and its " > action=login&login=whatever'=sleep(15)='&password= ". I verified it > manually and its good to go, however I've not yet been able to get > SQLmap to detect and exploit it.
I don't get the payload. Is it literally: whatever'=sleep(15=' ? If so, those two equal sign do not look to me like valid SQL. Can you check with the other scanner what exact payload got injected? What is the back-end DBMS? Thank you. -- Bernardo Damele A. G. E-mail / Jabber: bernardo.damele (at) gmail.com Mobile: +447788962949 (UK 07788962949) PGP Key ID: 0x05F5A30F ------------------------------------------------------------------------------ WhatsUp Gold - Download Free Network Management Software The most intuitive, comprehensive, and cost-effective network management toolset available today. Delivers lowest initial acquisition cost and overall TCO of any competing solution. http://p.sf.net/sfu/whatsupgold-sd _______________________________________________ sqlmap-users mailing list sqlmap-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/sqlmap-users
