FWIW --parse-errors also doesn't seem to affect the output during a scan on
the URL.


On Sun, Mar 30, 2014 at 8:33 AM, Brandon Perry <bperry.volat...@gmail.com>wrote:

> Hi,
>
> I am playing around with an interesting SQL injection. A GET to a php
> script with two params (date1 and date2) will generate a PNG when
> successful, but will output a textual error message when, say , an
> apostrophe is thrown in one of the dates.
>
>
> For instance, GET fdsa.php?date1=2014-02-28&date2=2014-03-30 will result
> in a PNG.
>
>
> GET fdsa.php?date1=2014-02-28&date2=2014-03-30' (note apostrophe in last
> param) will yield:
>
> You have an error in your SQL syntax; check the manual that corresponds to
> your MySQL server version for the right syntax to use near 'admin' AND
> a.sid=i.sid and i.ref IN (SELECT ref from
> Itablet)' at line 4
>
>
> GET fdsa.php?date1=2014-02-28&date1=2014-03-30'+and+'1'='1 will result in
> a PNG
>
>
> Since the result of a successful query is a PNG, I only expect to be able
> to use an error-based, or boolean/time-based attacks. However, sqlmap
> doesn't detect that either of the params are injectable (both are).
>
> [06:04:13] [WARNING] GET parameter 'date1' does not appear dynamic
> [06:04:13] [WARNING] heuristic (basic) test shows that GET parameter
> 'date1' might not be injectable
>
>
> I have tried using --text-only and am not using -o, but to no avail. Any
> thoughts on some tricks I can try to see if sqlmap will be able to exploit
> the injection points?
>
> I can send a traffic file if that helps. Currently on latest.
>
> bperry@ubuntu:~/tools/sqlmap$ git pull
> Already up-to-date.
> bperry@ubuntu:~/tools/sqlmap$
>
>
> --
> http://volatile-minds.blogspot.com -- blog
> http://www.volatileminds.net -- website
>



-- 
http://volatile-minds.blogspot.com -- blog
http://www.volatileminds.net -- website
------------------------------------------------------------------------------
_______________________________________________
sqlmap-users mailing list
sqlmap-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/sqlmap-users

Reply via email to