Matt, About your point a), sqlmap did not identify the or based Boolean based injection because these are not tested at detection phase by default. You need to increase --risk 3 and --level value to appropriate one. Please, refer to the users manual for further details. There two switches are mandatory to understand in order to take the best out of sqlmap.
Bernardo Damele A. G. This message was sent from a smartphone On 6 Jun 2011, at 11:21, Miroslav Stampar <miroslav.stam...@gmail.com> wrote: > appendix: > > "When I get in, I can't extract data. I can get verification that I'm > a DBA, but little to nothing else" > and > "why I would get no data returned?" > > for all of you who experience these symptoms here and there, there are > two possibilities: > a) there is something actually wrong with sqlmap and please refer to > the last mail what to do to help us out > b) queries are filtered by some kind of WAF (e.g. @@version works but > everything else fails) > > kr > > > On Mon, Jun 6, 2011 at 12:11 PM, Miroslav Stampar > <miroslav.stam...@gmail.com> wrote: >> hi Matt >> >> On Sat, Jun 4, 2011 at 10:47 PM, Matt Gardenghi <mtgar...@gmail.com> wrote: >>> Hello, >>> >>> I've been testing a non-production app from a black-box perspective. The >>> only SQLi I've found is from the login page. I can bypass the login by >>> dropping something like: 1' or 1=1-- into the password field. >>> Unfortunately, sqlmap doesn't find this vulnerability. Well, that's not >>> quite true. I eventually, dumped my Burp proxy log into a file and had >>> sqlmap target it. The POST file is icky (IIS7.5 ASP and tons of weird data >>> running around). Still after repeated tests, sqlmap eventually found this >>> vulnerability as a time based SQLi. >>> >>> I don't understand why sqlmap cannot locate the vulnerability via the >>> stacked query or simply that it bypasses the login page. When I get in, I >>> can't extract data. I can get verification that I'm a DBA, but little to >>> nothing else. With --sql-shell, I can run 'SELECT @@version' and sqlmap >>> returns a blank data set; if the query is bogus, it returns an error. So, >>> for some reason, no data is returned. >>> Would anyone be able to give me some pointers on a) why sqlmap doesn't see >>> this injection properly, and b) why I would get no data returned? >> >> no problem. >> >> in this kind of situations rule of thumb goes like this: >> 1) try to exploit it manually >> 2) if you succeed in 1) then please report back and we'll be more than >> happy to make a fix >> 3) if you don't succeed with 1) then please collect as much data as >> you can with -v 3 and -t traffic.txt, inspect it yourself and try to >> find something that could explain the faulty sqlmap's behavior >> 4) if you are not very skillful with 2) or 3) you can always send some >> more data (traffic.txt, debug output of -v 3, target url) privately >> via email >> >> kr >> >> p.s. personally, i admire people that do 1) and 2) by themself and report >> back. >> >>> Thanks, >>> >>> -- >>> Matt Gardenghi >>> >>> ------------------------------------------------------------------------------ >>> Simplify data backup and recovery for your virtual environment with vRanger. >>> Installation's a snap, and flexible recovery options mean your data is safe, >>> secure and there when you need it. Discover what all the cheering's about. >>> Get your free trial download today. >>> http://p.sf.net/sfu/quest-dev2dev2 >>> _______________________________________________ >>> sqlmap-users mailing list >>> sqlmap-users@lists.sourceforge.net >>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >>> >>> >> >> >> >> -- >> Miroslav Stampar >> >> E-mail: miroslav.stampar (at) gmail.com >> PGP Key ID: 0xB5397B1B >> > > > > -- > Miroslav Stampar > > E-mail: miroslav.stampar (at) gmail.com > PGP Key ID: 0xB5397B1B > > ------------------------------------------------------------------------------ > Simplify data backup and recovery for your virtual environment with vRanger. > Installation's a snap, and flexible recovery options mean your data is safe, > secure and there when you need it. Discover what all the cheering's about. > Get your free trial download today. > http://p.sf.net/sfu/quest-dev2dev2 > _______________________________________________ > sqlmap-users mailing list > sqlmap-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/sqlmap-users ------------------------------------------------------------------------------ EditLive Enterprise is the world's most technically advanced content authoring tool. Experience the power of Track Changes, Inline Image Editing and ensure content is compliant with Accessibility Checking. http://p.sf.net/sfu/ephox-dev2dev _______________________________________________ sqlmap-users mailing list sqlmap-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/sqlmap-users
