Ok, i made a test with BurpSuite as Brandon said.
I tried to inject lol'UNION ALL SELECT NULL,NULL# manually and it worked.
The same payload with sqlmap not.
This is what BurpSuite shows: http://pastebin.com/6ifKNX9k
the first is made manually with firefox the second with sqlmap...
should i change user-agent in sqlmap?
2016-12-04 16:29 GMT+01:00 Daniele Bianchin <[email protected]>:
> Ok, i made a test with BurpSuite as Brandon said.
> I tried to inject lol'UNION ALL SELECT NULL,NULL# manually and it worked.
> The same payload with sqlmap not.
>
> This is what BurpSuite shows: http://pastebin.com/6ifKNX9k
>
> the first is made manually with firefox the second with sqlmap...
> should i change user-agent in sqlmap?
>
> 2016-12-04 15:39 GMT+01:00 Brandon Perry <[email protected]>:
>
>> You can add —proxy and make sqlmap pass all requests through burpsuite or
>> another proxy so you can see what the difference is between the requests
>> sqlmap creates and the ones you make by hand are.
>>
>>
>> On Dec 4, 2016, at 8:27 AM, Miroslav Stampar <[email protected]>
>> wrote:
>>
>> This is a straigthforward case. You are messing something up.
>>
>> Use username=foobar&password=foobar in POST data. Don't put already SQLi
>> payload anywhere. Use --level=3 --risk=3
>>
>> As said, you are doing something really really wrong here.
>>
>> Bye
>>
>> On Sun, Dec 4, 2016 at 3:06 PM, Daniele Bianchin <[email protected]>
>> wrote:
>>
>>> Hi!
>>> I have an issue with sqlmap.
>>> I created my own fake login in order to test blind sql injection but
>>> everytime i make a test sqlmap says it isn't exploitable.
>>> I tried to add a suffix, set level to 5, set risk to 3, set not-string
>>> option but sqlmap still not work with it.
>>> The login source is: http://pastebin.com/xzKZJNB1
>>>
>>> I tried to inject some payloads manually such as ' OR 1=1#, ' UNION ALL
>>> SELECT NULL;NULL #, etc... and they work.
>>> What should i do?
>>>
>>> Thanks in advance!
>>>
>>>
>>> Daniele.
>>>
>>> ------------------------------------------------------------
>>> ------------------
>>> Check out the vibrant tech community on one of the world's most
>>> engaging tech sites, SlashDot.org <http://slashdot.org>!
>>> http://sdm.link/slashdot
>>> _______________________________________________
>>> sqlmap-users mailing list
>>> [email protected]
>>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>>>
>>>
>>
>>
>> --
>> Miroslav Stampar
>> http://about.me/stamparm
>> ------------------------------------------------------------
>> ------------------
>> Check out the vibrant tech community on one of the world's most
>> engaging tech sites, SlashDot.org <http://slashdot.org>!
>> http://sdm.link/slashdot_______________________________________________
>> sqlmap-users mailing list
>> [email protected]
>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>>
>>
>>
>
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
sqlmap-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/sqlmap-users
