Hi to everyone; Working on securing my Java server with oracle database and using sqlmap revision r4850. The command I made is : python ./sqlmap.py --forms --risk=3 --level=2 --threads=2 --banner --union-char=1 --dbms=oracle -u http://mywebsite.com:8104/adminlogin.jsp
I got : [23:26:57] [INFO] testing if POST parameter 'flag' is dynamic [23:27:01] [WARNING] POST parameter 'flag' appears to be not dynamic [23:27:04] [WARNING] heuristic test shows that POST parameter 'flag' might not be injectable [23:27:04] [INFO] testing sql injection on POST parameter 'flag' [23:27:04] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause' [23:29:03] [INFO] testing 'OR boolean-based blind - WHERE or HAVING clause' [23:31:48] [INFO] testing 'Generic boolean-based blind - Parameter replace (original value)' [23:32:07] [INFO] testing 'Oracle AND error-based - WHERE or HAVING clause (XMLType)' [23:32:53] [INFO] testing 'Oracle AND error-based - WHERE or HAVING clause (utl_inaddr.get_host_address)' [23:33:33] [INFO] testing 'Oracle OR error-based - WHERE or HAVING clause (XMLType)' [23:35:00] [INFO] testing 'Oracle AND time-based blind' [23:35:46] [INFO] testing 'Oracle AND time-based blind (heavy query)' [23:36:25] [INFO] testing 'Generic UNION query (1) - 1 to 10 columns' [23:42:02] [INFO] target url appears to be UNION injectable with 7 columns [23:46:48] [CRITICAL] connection timed out to the target url or proxy, sqlmap is going to retry the request [23:46:48] [WARNING] if the problem persists please try to lower the number of used threads (--threads) [23:47:49] [INFO] testing 'Generic UNION query (1) - 11 to 20 columns' [23:56:05] [INFO] testing 'Generic UNION query (NUL comment) (1) - 1 to 10 columns' I think it is a bug from sqlmap do you ? I have googled and so many people got the seem notification that mean there is a sql injection with union query number xy columns but sqlmap couldn't exploit the injection. I want someone to let me sure that it is only a bug on this framework or there is a switch that it missing. I don't know if tamper switches have something to do especially I am not sure if those tamper scripts works with oracle dbms. Regards and I hope to hear from someone. ------------------------------------------------------------------------------ This SF email is sponsosred by: Try Windows Azure free for 90 days Click Here http://p.sf.net/sfu/sfd2d-msazure _______________________________________________ sqlmap-users mailing list sqlmap-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/sqlmap-users
