It is a false positive because of filters sanitize, or some function decode ()
making sure the ID explicitly safe? Or some other reason?
Date: Wed, 12 Jun 2013 06:02:23 +0200
Subject: Re: [sqlmap-users] error or bug
From: miroslav.stam...@gmail.com
To: jonatah-rom...@hotmail.com
CC: sqlmap-users@lists.sourceforge.net
Hi.
It's a false positive.
Kind regards,
Miroslav Stampar
On Jun 12, 2013 2:42 AM, "Jonatah Romero" <jonatah-rom...@hotmail.com> wrote:
Hello guys, i made 3 attempts injection, all 3 have unequal information, one
said there was no injection, the other said through heuristics to be Firebird
DBMS, and the DBMS be another SAP MaxDB. I also tested it with --tamper, and
--string, as stated sqlmap, stated that it was a false positive. It would be a
bug or error?
Love information, more and more, I'm hungry :-).
sqlmap.py -u "https://website/action/link?id=value"; --fingerprint --threads=10
--technique=B
sqlmap/1.0-dev-42a8234 - automatic SQL injection and database takeover tool
http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior
mutual consent is illegal. It is the end user'
s responsibility to obey all applicable local, state and federal laws.
Developers assume no liability and are not responsible for any misuse or damage
caused by this program
[*] starting at 20:42:06
[20:42:06] [INFO] testing connection to the target URL[20:42:06] [INFO]
heuristics detected web page charset 'ascii'[20:42:06] [INFO] testing if the
target URL is stable. This can take a coulpe of seconds
[20:42:08] [INFO] testing if GET parameter 'id' is dynamic[20:42:08] [WARNING]
GET parameter 'id' does not appear dynamic[20:42:09] [WARNING] heuristic
<basic> test shows that GET parameter 'id' might not be injectable
[20:42:09] [INFO] testing for SQL injection on GET parameter 'id'[20:42:09]
[INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'[20:42:14]
[INFO] GET parameter 'id' seems to be 'AND boolean-based blind - WHERE or
HAVING clause' injectable <with --string="0.0001">
[20:42:18] [INFO] heuristic <extended> test shows that the back-end DBMS could
be 'Firebird'do you want to include all tests for 'Firebird' extending provided
level <1> and risk <1>? [Y/n] y
[20:42:26] [INFO] checking if the injection point on GET parameter 'id' is a
false positive[20:42:27] [WARNING] false positive or unexploitable injection
point detected[20:42:27] [WARNING] there is a possibility that the character
'>' is filtered by the back-end server. You can try to rerun with
'--tamper=between'
[20:42:27] [WARNING] GET parameter 'id' is not injectable[20:42:27] [CRITICAL]
all teste parameters appear to be not injectable. Try to increase
'--level'/'--risk' values to perform more tests. Rerun without providing the
option '--technique'. Also, you can try to rerun by providing a valid value for
option '--string' as perhaps the string you have choosen does not match
exclusively True responses
[*] shutting down at 20:42:27
------------------------------------------------------------------------------
This SF.net email is sponsored by Windows:
Build for Windows Store.
http://p.sf.net/sfu/windows-dev2dev
_______________________________________________
sqlmap-users mailing list
sqlmap-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/sqlmap-users
------------------------------------------------------------------------------
This SF.net email is sponsored by Windows:
Build for Windows Store.
http://p.sf.net/sfu/windows-dev2dev
_______________________________________________
sqlmap-users mailing list
sqlmap-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/sqlmap-users
