Hi. This looks like a false positive. Please rerun with --flush-session.
Kind regards On Mon, Aug 1, 2016 at 12:57 PM, Niall <jammaster...@gmail.com> wrote: > Hi, > > I am using SQLMAP to pen test a web app and it says that a field is > boolean based blind vunerable. > > The DB is an OpenEdge Progress DB, so I understand SQLMAP does not support > this DBMS. However, can I still use it to test whether there is a SQL > injection vulnerability (and not exploit it) or will it not detect the > vulnerability at all? > > I am not sure whether SQLMAP cannot get any info out of the DB because > Progress is unsupported or it is a false-positive. > > Below is SQLMAP output (If I run the exact same query on the DB itself it > returns data): > > sqlmap -u 'http://xxx/login?host=1' --sql-query="select ('role') from > pub.role_type" --no-cast --threads=2 > _ > ___ ___| |_____ ___ ___ {1.0.7.1#dev} > |_ -| . | | | .'| . | > |___|_ |_|_|_|_|__,| _| > |_| |_| http://sqlmap.org > > [!] legal disclaimer: Usage of sqlmap for attacking targets without prior > mutual consent is illegal. It is the end user's responsibility to obey all > applicable local, state and federal laws. Developers assume no liability > and are not responsible for any misuse or damage caused by this program > > [*] starting at 11:53:57 > > [11:53:57] [INFO] resuming back-end DBMS 'mysql' > [11:53:57] [INFO] testing connection to the target URL > [11:53:57] [CRITICAL] previous heuristics detected that the target is > protected by some kind of WAF/IPS/IDS > sqlmap resumed the following injection point(s) from stored session: > --- > Parameter: host (GET) > Type: boolean-based blind > Title: AND boolean-based blind - WHERE or HAVING clause > Payload: host=1") AND 1239=1239 AND ("UqXp"="UqXp > --- > [11:53:57] [INFO] the back-end DBMS is MySQL > back-end DBMS: MySQL 5 (MariaDB fork) > [11:53:57] [INFO] fetching SQL SELECT statement query output: 'select > ('role') from pub.role_type' > [11:53:57] [INFO] retrieving the length of query output > [11:53:57] [INFO] retrieved: > [11:53:57] [INFO] retrieved: > select ('role') from pub.role_type: None > [11:53:58] [INFO] fetched data logged to text files under > '/root/.sqlmap/output/' > > [*] shutting down at 11:53:58 > > > Thank you for your help. > > > > ------------------------------------------------------------------------------ > > _______________________________________________ > sqlmap-users mailing list > sqlmap-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > > -- Miroslav Stampar http://about.me/stamparm
------------------------------------------------------------------------------
_______________________________________________ sqlmap-users mailing list sqlmap-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/sqlmap-users
