Oh, it looks like I am an idiot, this was supposed to be over SSL, but I was not passing --force-ssl.
Sorry for the spam. On Sun, Mar 30, 2014 at 8:49 AM, Brandon Perry <bperry.volat...@gmail.com>wrote: > FWIW --parse-errors also doesn't seem to affect the output during a scan > on the URL. > > > On Sun, Mar 30, 2014 at 8:33 AM, Brandon Perry > <bperry.volat...@gmail.com>wrote: > >> Hi, >> >> I am playing around with an interesting SQL injection. A GET to a php >> script with two params (date1 and date2) will generate a PNG when >> successful, but will output a textual error message when, say , an >> apostrophe is thrown in one of the dates. >> >> >> For instance, GET fdsa.php?date1=2014-02-28&date2=2014-03-30 will result >> in a PNG. >> >> >> GET fdsa.php?date1=2014-02-28&date2=2014-03-30' (note apostrophe in last >> param) will yield: >> >> You have an error in your SQL syntax; check the manual that corresponds >> to your MySQL server version for the right syntax to use near 'admin' AND >> a.sid=i.sid and i.ref IN (SELECT ref from >> Itablet)' at line 4 >> >> >> GET fdsa.php?date1=2014-02-28&date1=2014-03-30'+and+'1'='1 will result in >> a PNG >> >> >> Since the result of a successful query is a PNG, I only expect to be able >> to use an error-based, or boolean/time-based attacks. However, sqlmap >> doesn't detect that either of the params are injectable (both are). >> >> [06:04:13] [WARNING] GET parameter 'date1' does not appear dynamic >> [06:04:13] [WARNING] heuristic (basic) test shows that GET parameter >> 'date1' might not be injectable >> >> >> I have tried using --text-only and am not using -o, but to no avail. Any >> thoughts on some tricks I can try to see if sqlmap will be able to exploit >> the injection points? >> >> I can send a traffic file if that helps. Currently on latest. >> >> bperry@ubuntu:~/tools/sqlmap$ git pull >> Already up-to-date. >> bperry@ubuntu:~/tools/sqlmap$ >> >> >> -- >> http://volatile-minds.blogspot.com -- blog >> http://www.volatileminds.net -- website >> > > > > -- > http://volatile-minds.blogspot.com -- blog > http://www.volatileminds.net -- website > -- http://volatile-minds.blogspot.com -- blog http://www.volatileminds.net -- website
------------------------------------------------------------------------------
_______________________________________________ sqlmap-users mailing list sqlmap-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/sqlmap-users
