I'm testing an app which I've confirmed is running Oracle and has injection
into the order by field.
http://xxx/test?order=id
id is a direct mapping to the database column name. I confirmed injection
with the following:
http://xxx/test?order=%28select%20%27id%27%20from%20dual%29
The site returns either a table of data or the Oracle exception if the
field name given is invalid
I've ran sqlmap against it with level 5 and risk 3 (its a test site, client
happy to reset if damaged) but it doesn't detect the injection. I've also
tried with --string passing it a value from the table so it knows when it
hits valid data.
I know this should work and from what I've seen when searching a level 3
scan should detect it. What am I doing wrong?
And just for my curiosity, as I've got the working injection, would I be
able to pass that to sqlmap and point it at that to say inject into here. I
gave it a quick try and it complained that the url provided was already
tainted and I should clean it up first.
Harry.
------------------------------------------------------------------------------
Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
from Actuate! Instantly Supercharge Your Business Reports and Dashboards
with Interactivity, Sharing, Native Excel Exports, App Integration & more
Get technology previously reserved for billion-dollar corporations, FREE
http://pubads.g.doubleclick.net/gampad/clk?id=164703151&iu=/4140/ostg.clktrk
_______________________________________________
sqlmap-users mailing list
sqlmap-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/sqlmap-users
