Hello guys, i made 3 attempts injection, all 3 have unequal information, one
said there was no injection, the other said through heuristics to be Firebird
DBMS, and the DBMS be another SAP MaxDB. I also tested it with --tamper, and
--string, as stated sqlmap, stated that it was a false positive. It would be a
bug or error?
Love information, more and more, I'm hungry :-).
sqlmap.py -u "https://website/action/link?id=value"; --fingerprint --threads=10
--technique=B
sqlmap/1.0-dev-42a8234 - automatic SQL injection and database takeover tool
http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior
mutual consent is illegal. It is the end user's responsibility to obey all
applicable local, state and federal laws. Developers assume no liability and
are not responsible for any misuse or damage caused by this program
[*] starting at 20:42:06
[20:42:06] [INFO] testing connection to the target URL[20:42:06] [INFO]
heuristics detected web page charset 'ascii'[20:42:06] [INFO] testing if the
target URL is stable. This can take a coulpe of seconds[20:42:08] [INFO]
testing if GET parameter 'id' is dynamic[20:42:08] [WARNING] GET parameter 'id'
does not appear dynamic[20:42:09] [WARNING] heuristic <basic> test shows that
GET parameter 'id' might not be injectable[20:42:09] [INFO] testing for SQL
injection on GET parameter 'id'[20:42:09] [INFO] testing 'AND boolean-based
blind - WHERE or HAVING clause'[20:42:14] [INFO] GET parameter 'id' seems to be
'AND boolean-based blind - WHERE or HAVING clause' injectable <with
--string="0.0001">[20:42:18] [INFO] heuristic <extended> test shows that the
back-end DBMS could be 'Firebird'do you want to include all tests for
'Firebird' extending provided level <1> and risk <1>? [Y/n] y[20:42:26] [INFO]
checking if the injection point on GET parameter 'id' is a false
positive[20:42:27] [WARNING] false positive or unexploitable injection point
detected[20:42:27] [WARNING] there is a possibility that the character '>' is
filtered by the back-end server. You can try to rerun with
'--tamper=between'[20:42:27] [WARNING] GET parameter 'id' is not
injectable[20:42:27] [CRITICAL] all teste parameters appear to be not
injectable. Try to increase '--level'/'--risk' values to perform more tests.
Rerun without providing the option '--technique'. Also, you can try to rerun by
providing a valid value for option '--string' as perhaps the string you have
choosen does not match exclusively True responses
[*] shutting down at 20:42:27 ------------------------------------------------------------------------------
This SF.net email is sponsored by Windows:
Build for Windows Store.
http://p.sf.net/sfu/windows-dev2dev
_______________________________________________
sqlmap-users mailing list
sqlmap-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/sqlmap-users
