Hi Ryan.
You are advised to use auxiliary switches in this kind of cases:
--string
or
--text-only
could help you here
Kind regards,
Miroslav Stampar
On Fri, Jan 6, 2012 at 5:52 PM, ryan cartner <ryan.cart...@gmail.com> wrote:
> I'm testing this cornerstone cms vuln
>
> http://www.exploit-db.com/exploits/18319/
>
> when i load this url (http://192.168.1.101/default.asp?id=2%27) manually
> in my browser I get
>
> Microsoft JET Database Engine error '80040e14'
>
> Syntax error in string in query expression 'Id=2''.
> sqlmap doesn't find anything:
>
> [11:48:01] [INFO] testing connection to the target url
> [11:48:02] [INFO] testing if the url is stable, wait a few seconds
> [11:48:04] [INFO] url is stable
> [11:48:04] [INFO] testing if GET parameter 'id' is dynamic
> [11:48:04] [INFO] heuristics detected web page charset 'ascii'
> [11:48:05] [INFO] confirming that GET parameter 'id' is dynamic
> [11:48:05] [INFO] GET parameter 'id' is dynamic
> [11:48:06] [INFO] heuristic test shows that GET parameter 'id' might be
> injectable (possible DBMS: Microsoft Access)
> [11:48:06] [INFO] testing sql injection on GET parameter 'id'
> [11:48:06] [INFO] testing 'AND boolean-based blind - WHERE or HAVING
> clause'
> parsed error message(s) showed that the back-end DBMS could be Microsoft
> Access. Do you want to skip test payloads specific for other DBMSes? [Y/n]
> [11:48:11] [INFO] testing 'Generic UNION query (NULL) - 1 to 10 columns'
> [11:48:28] [WARNING] GET parameter 'id' is not injectable
> [11:48:28] [CRITICAL] all parameters appear to be not injectable. Try to
> increase --level/--risk values to perform more tests. Rerun by providing
> either a valid --string or a valid --regexp, refer to the user's manual for
> details
> [11:48:28] [WARNING] HTTP error codes detected during testing:
> 500 (Internal Server Error) - 47 times
>
> [*] shutting down at: 11:48:28
>
>
>
> ------------------------------------------------------------------------------
> Ridiculously easy VDI. With Citrix VDI-in-a-Box, you don't need a complex
> infrastructure or vast IT resources to deliver seamless, secure access to
> virtual desktops. With this all-in-one solution, easily deploy virtual
> desktops for less than the cost of PCs and save 60% on VDI infrastructure
> costs. Try it free! http://p.sf.net/sfu/Citrix-VDIinabox
> _______________________________________________
> sqlmap-users mailing list
> sqlmap-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>
>
--
Miroslav Stampar
http://about.me/stamparm
------------------------------------------------------------------------------
Ridiculously easy VDI. With Citrix VDI-in-a-Box, you don't need a complex
infrastructure or vast IT resources to deliver seamless, secure access to
virtual desktops. With this all-in-one solution, easily deploy virtual
desktops for less than the cost of PCs and save 60% on VDI infrastructure
costs. Try it free! http://p.sf.net/sfu/Citrix-VDIinabox
_______________________________________________
sqlmap-users mailing list
sqlmap-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/sqlmap-users
