Hello, I've been testing a non-production app from a black-box perspective. The only SQLi I've found is from the login page. I can bypass the login by dropping something like: 1' or 1=1-- into the password field. Unfortunately, sqlmap doesn't find this vulnerability. Well, that's not quite true. I eventually, dumped my Burp proxy log into a file and had sqlmap target it. The POST file is icky (IIS7.5 ASP and tons of weird data running around). Still after repeated tests, sqlmap eventually found this vulnerability as a time based SQLi.
I don't understand why sqlmap cannot locate the vulnerability via the stacked query or simply that it bypasses the login page. When I get in, I can't extract data. I can get verification that I'm a DBA, but little to nothing else. With --sql-shell, I can run 'SELECT @@version' and sqlmap returns a blank data set; if the query is bogus, it returns an error. So, for some reason, no data is returned. Would anyone be able to give me some pointers on a) why sqlmap doesn't see this injection properly, and b) why I would get no data returned? Thanks, -- Matt Gardenghi
------------------------------------------------------------------------------ Simplify data backup and recovery for your virtual environment with vRanger. Installation's a snap, and flexible recovery options mean your data is safe, secure and there when you need it. Discover what all the cheering's about. Get your free trial download today. http://p.sf.net/sfu/quest-dev2dev2
_______________________________________________ sqlmap-users mailing list sqlmap-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/sqlmap-users
