Hello,
I want to test our written function. So i start testing with the following command:
sqlmap.py -u "https://SERVER/index.php?module=upload&func=checkUserForm&c_id=102" --banner --auth-type=Basic --auth-cred=name:password
Now I'm wondering about the status of some messages.
Why ist the following message a warning:
[09:25:52] [WARNING] GET parameter 'module' is not injectable
Or why ist this critical:
[09:26:54] [CRITICAL] unable to connect to the target URL or proxy. sqlmap is going to retry the request
Is there an overview about the different message-states (info, warning, critcal and so on) and the meaning of them?
A short listing of the whole output:
[09:24:49] [INFO] testing connection to the target URL
[09:24:51] [INFO] heuristics detected web page charset 'UTF-8'
[09:24:51] [WARNING] reflective value(s) found and filtering out
[09:24:51] [INFO] testing if the target URL is stable. This can take a couple of seconds
[09:24:52] [INFO] target URL is stable
[09:24:52] [INFO] testing if GET parameter 'module' is dynamic
[09:24:52] [INFO] confirming that GET parameter 'module' is dynamic
[09:24:53] [WARNING] GET parameter 'module' does not appear dynamic
[09:24:53] [WARNING] heuristic (basic) test shows that GET parameter 'module' might not be injectable
[09:24:53] [INFO] testing for SQL injection on GET parameter 'module'
[09:24:53] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[09:24:56] [INFO] testing 'MySQL >= 5.0 boolean-based blind - Parameter replace'
[09:24:57] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause'
[09:24:58] [INFO] testing 'PostgreSQL AND error-based - WHERE or HAVING clause'
[09:25:00] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause'
[09:25:01] [INFO] testing 'Oracle AND error-based - WHERE or HAVING clause (XMLType)'
[09:25:03] [INFO] testing 'MySQL >= 5.0 error-based - Parameter replace'
[09:25:03] [INFO] testing 'MySQL inline queries'
[09:25:03] [INFO] testing 'PostgreSQL inline queries'
[09:25:04] [INFO] testing 'Microsoft SQL Server/Sybase inline queries'
[09:25:04] [INFO] testing 'MySQL > 5.0.11 stacked queries (SELECT - comment)'
[09:25:05] [INFO] testing 'PostgreSQL > 8.1 stacked queries (comment)'
[09:25:07] [INFO] testing 'Microsoft SQL Server/Sybase stacked queries (comment)'
[09:25:08] [INFO] testing 'Oracle stacked queries (DBMS_PIPE.RECEIVE_MESSAGE - comment)'
[09:25:10] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (SELECT)'
[09:25:11] [INFO] testing 'PostgreSQL > 8.1 AND time-based blind'
[09:25:13] [INFO] testing 'Microsoft SQL Server/Sybase time-based blind'
[09:25:14] [INFO] testing 'Oracle AND time-based blind'
[09:25:16] [INFO] testing 'Generic UNION query (NULL) - 1 to 10 columns'
[09:25:16] [WARNING] using unescaped version of the test because of zero knowledge of the back-end DBMS. You can try to explicitly set it using option
'--dbms'
[09:25:32] [INFO] testing 'MySQL UNION query (NULL) - 1 to 10 columns'
[09:25:52] [WARNING] GET parameter 'module' is not injectable
[09:25:52] [INFO] testing if GET parameter 'func' is dynamic
sqlmap got a 302 redirect to 'https://SERVER:443/index.php'. Do you want to follow? [Y/n] n
[09:26:54] [ERROR] detected invalid data for declared content encoding 'gzip' ('unpack requires a string argument of length 4')
[09:26:54] [WARNING] turning off page compression
[09:26:54] [CRITICAL] unable to connect to the target URL or proxy. sqlmap is going to retry the request
[09:26:55] [INFO] confirming that GET parameter 'func' is dynamic
[09:26:55] [WARNING] GET parameter 'func' does not appear dynamic
[09:26:55] [WARNING] heuristic (basic) test shows that GET parameter 'func' might not be injectable
...
Thank you,
regards Peter
------------------------------------------------------------------------------
_______________________________________________ sqlmap-users mailing list sqlmap-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/sqlmap-users
