I was going through the Backtrack how-to's forum, and g0tmi1k's posts about VulnImage led me to experiment with sqlmap. I'm using Backtrack 5R2 and therefore sqlmap version 1.0-dev (r4766). I'm not sure what I'm doing wrong.
I created a page with a parameter that is injectable (i.e. no sanitation). The php based page connects to a MySQL DB, with 5 columns. The actual php select statement is: $name_bad = stripslashes($_POST['rs_string']); $query_bad = "SELECT TestName, Price FROM pricelist WHERE testname = '$name_bad'"; (FYI: The stripslashes is in there because the version of php I'm testing on has magic quotes turned on. No login required for this page either.) If I input, manually, Code: ' or 1; -- then the query spits out every result in the database as it should, since the query is now SELECT TestName, Price FROM pricelist WHERE testname = '' or 1; -- ' Classic injection - This parameter is vulnerable! (FYI, there is space after the second dash and it is required or the query errors out.) I've gone further, and used the order by to see how many columns the select returns (yes, I know it's two, but I'm pretending I don't). So ' or 1 order by 1; -- ' orders by testname, and by changing "by 1" to "by 2" I can order by price. If I do "by 3", I get an error as expected since there are only two columns return. Again, classic injection. This page IS vulnerable. Now I fire up a burp proxy and browse the page, enter a testname or two so it's in the log (this is described in g0tmi1k's posts). Then I fire up sqlmap with the command: ./sqlmap -l /root/burp.log --banner --current-user --current-db --is-dba --dbms=MySQL After testing the correct page, it tells me rs_string is not injectable, even if I crank up the level and risk. But is clearly is! I can do it by hand. What am I doing wrong? Or have I found a bug. ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ _______________________________________________ sqlmap-users mailing list sqlmap-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/sqlmap-users
