Hi Bores.
There are two kinds of users and we have to carefully balance between those
two.
First kind is those that like to have everything click-click ready, and
user/password database downloadable by just pressing enter. For those users
messages like "heuristic test shows that paremeter could be injectable" and
"appears to be union injectable" are scary and they either don't want to
see it or they are keen for sqlmap to exploit them out of box.
Other kind are those that know also how to manually tamper with some
parameter and see by themself if something is really injectable or
something just appears to be. Those kind of users like to see those kind of
messages because they know that if there is a smoke there could be a fire.
Now, personally I really do like those second type of users not because
they are "advanced" or similar, but because they'll try by themself
anything (no matter how small the thing) to prove that something is really
wrong.
Now, imagine that we don't put that "appears to be messages" there. Those
from the first group would not be confused anymore, but those from the
second group could probably oversee that something could be (no matter how
small the chance) injectable by maybe using some tamper script or use some
other advanced option.
Hence, that's not a bug. That's just for advanced users. Others can freely
skip it/them.
Kind regards,
Miroslav Stampar
On Sun, Mar 18, 2012 at 1:09 AM, Bores Valum <bores...@yahoo.com> wrote:
> Hi to everyone;
> Working on securing my Java server with oracle database and using sqlmap
> revision r4850. The command I made is : python ./sqlmap.py --forms --risk=3
> --level=2 --threads=2 --banner --union-char=1 --dbms=oracle -u
> http://mywebsite.com:8104/adminlogin.jsp
>
> I got :
> [23:26:57] [INFO] testing if POST parameter 'flag' is dynamic
> [23:27:01] [WARNING] POST parameter 'flag' appears to be not dynamic
> [23:27:04] [WARNING] heuristic test shows that POST parameter 'flag' might
> not be injectable
> [23:27:04] [INFO] testing sql injection on POST parameter 'flag'
> [23:27:04] [INFO] testing 'AND boolean-based blind - WHERE or HAVING
> clause'
> [23:29:03] [INFO] testing 'OR boolean-based blind - WHERE or HAVING clause'
> [23:31:48] [INFO] testing 'Generic boolean-based blind - Parameter replace
> (original value)'
> [23:32:07] [INFO] testing 'Oracle AND error-based - WHERE or HAVING clause
> (XMLType)'
> [23:32:53] [INFO] testing 'Oracle AND error-based - WHERE or HAVING clause
> (utl_inaddr.get_host_address)'
> [23:33:33] [INFO] testing 'Oracle OR error-based - WHERE or HAVING clause
> (XMLType)'
> [23:35:00] [INFO] testing 'Oracle AND time-based blind'
> [23:35:46] [INFO] testing 'Oracle AND time-based blind (heavy query)'
> [23:36:25] [INFO] testing 'Generic UNION query (1) - 1 to 10 columns'
> [23:42:02] [INFO] target url appears to be UNION injectable with 7 columns
> [23:46:48] [CRITICAL] connection timed out to the target url or proxy,
> sqlmap is going to retry the request
> [23:46:48] [WARNING] if the problem persists please try to lower the
> number of used threads (--threads)
> [23:47:49] [INFO] testing 'Generic UNION query (1) - 11 to 20 columns'
> [23:56:05] [INFO] testing 'Generic UNION query (NUL comment) (1) - 1 to 10
> columns'
>
>
> I think it is a bug from sqlmap do you ? I have googled and so many people
> got the seem notification that mean there is a sql injection with union
> query number xy columns but sqlmap couldn't exploit the injection. I want
> someone to let me sure that it is only a bug on this framework or there is
> a switch that it missing. I don't know if tamper switches have something to
> do especially I am not sure if those tamper scripts works with oracle dbms.
> Regards and I hope to hear from someone.
>
>
> ------------------------------------------------------------------------------
> This SF email is sponsosred by:
> Try Windows Azure free for 90 days Click Here
> http://p.sf.net/sfu/sfd2d-msazure
> _______________________________________________
> sqlmap-users mailing list
> sqlmap-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>
--
Miroslav Stampar
http://about.me/stamparm
------------------------------------------------------------------------------
This SF email is sponsosred by:
Try Windows Azure free for 90 days Click Here
http://p.sf.net/sfu/sfd2d-msazure
_______________________________________________
sqlmap-users mailing list
sqlmap-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/sqlmap-users
