Most probably it has a dynamic content inside (changing between each
response). I can't tell you more because I don't know the details about the
target.
Kind regards,
Miroslav Stampar
On Jun 12, 2013 9:13 PM, "Jonatah Romero" <jonatah-rom...@hotmail.com>
wrote:
> It is a false positive because of filters sanitize, or some function
> decode () making sure the ID explicitly safe? Or some other reason?
>
> ------------------------------
> Date: Wed, 12 Jun 2013 06:02:23 +0200
> Subject: Re: [sqlmap-users] error or bug
> From: miroslav.stam...@gmail.com
> To: jonatah-rom...@hotmail.com
> CC: sqlmap-users@lists.sourceforge.net
>
> Hi.
>
> It's a false positive.
>
> Kind regards,
> Miroslav Stampar
> On Jun 12, 2013 2:42 AM, "Jonatah Romero" <jonatah-rom...@hotmail.com>
> wrote:
>
> Hello guys, i made 3 attempts injection, all 3 have unequal information,
> one said there was no injection, the other said through heuristics to be
> Firebird DBMS, and the DBMS be another SAP MaxDB. I also tested it with
> --tamper, and --string, as stated sqlmap, stated that it was a false
> positive. It would be a bug or error?
>
> Love information, more and more, I'm hungry :-).
>
>
> sqlmap.py -u "https://website/action/link?id=value"; --fingerprint
> --threads=10 --technique=B
>
> sqlmap/1.0-dev-42a8234 - automatic SQL injection and database takeover
> tool
> http://sqlmap.org
>
> [!] legal disclaimer: Usage of sqlmap for attacking targets without prior
> mutual consent is illegal. It is the end user'
> s responsibility to obey all applicable local, state and federal laws.
> Developers assume no liability and are not respon
> sible for any misuse or damage caused by this program
>
> [*] starting at 20:42:06
>
> [20:42:06] [INFO] testing connection to the target URL
> [20:42:06] [INFO] heuristics detected web page charset 'ascii'
> [20:42:06] [INFO] testing if the target URL is stable. This can take a
> coulpe of seconds
> [20:42:08] [INFO] testing if GET parameter 'id' is dynamic
> [20:42:08] [WARNING] GET parameter 'id' does not appear dynamic
> [20:42:09] [WARNING] heuristic <basic> test shows that GET parameter 'id'
> might not be injectable
> [20:42:09] [INFO] testing for SQL injection on GET parameter 'id'
> [20:42:09] [INFO] testing 'AND boolean-based blind - WHERE or HAVING
> clause'
> [20:42:14] [INFO] GET parameter 'id' seems to be 'AND boolean-based blind
> - WHERE or HAVING clause' injectable <with --string="0.0001">
> [20:42:18] [INFO] heuristic <extended> test shows that the back-end DBMS
> could be 'Firebird'
> do you want to include all tests for 'Firebird' extending provided level
> <1> and risk <1>? [Y/n] y
> [20:42:26] [INFO] checking if the injection point on GET parameter 'id' is
> a false positive
> [20:42:27] [WARNING] false positive or unexploitable injection point
> detected
> [20:42:27] [WARNING] there is a possibility that the character '>' is
> filtered by the back-end server. You can try to rerun with
> '--tamper=between'
> [20:42:27] [WARNING] GET parameter 'id' is not injectable
> [20:42:27] [CRITICAL] all teste parameters appear to be not injectable.
> Try to increase '--level'/'--risk' values to perform more tests. Rerun
> without providing the option '--technique'. Also, you can try to rerun by
> providing a valid value for option '--string' as perhaps the string you
> have choosen does not match exclusively True responses
>
> [*] shutting down at 20:42:27
>
>
> ------------------------------------------------------------------------------
> This SF.net email is sponsored by Windows:
>
> Build for Windows Store.
>
> http://p.sf.net/sfu/windows-dev2dev
> _______________________________________________
> sqlmap-users mailing list
> sqlmap-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>
>
>
> ------------------------------------------------------------------------------
> This SF.net email is sponsored by Windows:
>
> Build for Windows Store.
>
> http://p.sf.net/sfu/windows-dev2dev
> _______________________________________________
> sqlmap-users mailing list
> sqlmap-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>
>
------------------------------------------------------------------------------
This SF.net email is sponsored by Windows:
Build for Windows Store.
http://p.sf.net/sfu/windows-dev2dev
_______________________________________________
sqlmap-users mailing list
sqlmap-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/sqlmap-users
