Hi.
sqlmap should be able to spot this kind of SQLi out of the box. Problem in
your case is that it appears (IMHO) that your target is not vulnerable.
Error message != SQL injection ! Target warns you that targeted value can't
be casted to the desired type and that means that it's most probably not
prone to SQL injection.
Kind regards,
Miroslav Stampar
On Mon, Mar 17, 2014 at 4:09 PM, Nate Kettlewell <nkw...@gmail.com> wrote:
> Hey guys, just ran across this one, SQL error comes back in the HTTP
> header.
>
> Anyone else ran across something like this? If so, how did you get SQLMap
> to pick up on it?
>
> Vulnerable Param is GET -> ECTID
>
> Request - Target Info Redacted
> GET /cgi/
> search_page.pl?ABMASTER=2&DOWHAT=SEARCH&LASTID=94321&USER=admin&P=lwJLt5inR&ECTID=9'&ABHOME=1<http://search_page.pl/?ABMASTER=2&DOWHAT=SEARCH&LASTID=94321&USER=admin&P=lwJLt5inR&ECTID=9%27&ABHOME=1>
> HTTP/1.1
> Host: X.X.X.X
> User-Agent: Mozilla/5.0 (X11; Linux i686; rv:22.0) Gecko/20100101
> Firefox/22.0 Iceweasel/22.0
> Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
> Accept-Language: en-US,en;q=0.5
> Accept-Encoding: gzip, deflate
> Referer:
> http://stuff.stuff.com/cgi/MRABdetails.pl?USER=admin&ECTID=9&MRP=lwJLt5inR&LASTID=30323&ABMASTER=2&ANDOR=and&ANCHOR=anchoron&SESS_ID=52a3435e497351139f35330ca0a3d81d&;
> Cookie: popupBlockerDisabled=true; __unam=f2242fe-14489b9a9cd-4e848782-1;
> DocumentWidth=1400
> Connection: keep-alive
>
>
> Response -
> HTTP/1.1 200 OK
> Cache-Control: no-cache,no-store,max-age=0
> ETag: ""
> Server: Microsoft-IIS/7.5
> Can't get config data from generic config table: getFromConfigFile: Can't
> execute sql select * from SomeTable where ECTID= ? AND URE= ? AND Deleted
> is null AND rKey in ('P', 'S') Order by mOrder asc, values: [9'
> KBStatuses][Microsoft][ODBC SQL Server Driver]Invalid character value for
> cast specification (SQL-22018) at C:\Stuff\\cgi\SUBS\FP\GenericConfig.pl
> line 179.
> Date: Thu, 13 Mar 2014 21:39:00 GMT
> Connection: close
> Content-Length: 0
>
> Cheers,
>
> N8
>
>
> ------------------------------------------------------------------------------
> Learn Graph Databases - Download FREE O'Reilly Book
> "Graph Databases" is the definitive new guide to graph databases and their
> applications. Written by three acclaimed leaders in the field,
> this first edition is now available. Download your free book today!
> http://p.sf.net/sfu/13534_NeoTech
> _______________________________________________
> sqlmap-users mailing list
> sqlmap-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>
>
--
Miroslav Stampar
http://about.me/stamparm
------------------------------------------------------------------------------
Learn Graph Databases - Download FREE O'Reilly Book
"Graph Databases" is the definitive new guide to graph databases and their
applications. Written by three acclaimed leaders in the field,
this first edition is now available. Download your free book today!
http://p.sf.net/sfu/13534_NeoTech
_______________________________________________
sqlmap-users mailing list
sqlmap-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/sqlmap-users
