I am kind of confused. You said that it's your application, right? Why
would your application care about UA. Also, you've sent source code which
hasn't looked into UA
Bye
On Dec 4, 2016 16:47, "Daniele Bianchin" <[email protected]> wrote:
> Ok, i made a test with BurpSuite as Brandon said.
> I tried to inject lol'UNION ALL SELECT NULL,NULL# manually and it worked.
> The same payload with sqlmap not.
>
> This is what BurpSuite shows: http://pastebin.com/6ifKNX9k
>
> the first is made manually with firefox the second with sqlmap...
> should i change user-agent in sqlmap?
>
> 2016-12-04 16:29 GMT+01:00 Daniele Bianchin <[email protected]>:
>
>> Ok, i made a test with BurpSuite as Brandon said.
>> I tried to inject lol'UNION ALL SELECT NULL,NULL# manually and it worked.
>> The same payload with sqlmap not.
>>
>> This is what BurpSuite shows: http://pastebin.com/6ifKNX9k
>>
>> the first is made manually with firefox the second with sqlmap...
>> should i change user-agent in sqlmap?
>>
>> 2016-12-04 15:39 GMT+01:00 Brandon Perry <[email protected]>:
>>
>>> You can add —proxy and make sqlmap pass all requests through burpsuite
>>> or another proxy so you can see what the difference is between the requests
>>> sqlmap creates and the ones you make by hand are.
>>>
>>>
>>> On Dec 4, 2016, at 8:27 AM, Miroslav Stampar <[email protected]>
>>> wrote:
>>>
>>> This is a straigthforward case. You are messing something up.
>>>
>>> Use username=foobar&password=foobar in POST data. Don't put already
>>> SQLi payload anywhere. Use --level=3 --risk=3
>>>
>>> As said, you are doing something really really wrong here.
>>>
>>> Bye
>>>
>>> On Sun, Dec 4, 2016 at 3:06 PM, Daniele Bianchin <[email protected]>
>>> wrote:
>>>
>>>> Hi!
>>>> I have an issue with sqlmap.
>>>> I created my own fake login in order to test blind sql injection but
>>>> everytime i make a test sqlmap says it isn't exploitable.
>>>> I tried to add a suffix, set level to 5, set risk to 3, set not-string
>>>> option but sqlmap still not work with it.
>>>> The login source is: http://pastebin.com/xzKZJNB1
>>>>
>>>> I tried to inject some payloads manually such as ' OR 1=1#, ' UNION ALL
>>>> SELECT NULL;NULL #, etc... and they work.
>>>> What should i do?
>>>>
>>>> Thanks in advance!
>>>>
>>>>
>>>> Daniele.
>>>>
>>>> ------------------------------------------------------------
>>>> ------------------
>>>> Check out the vibrant tech community on one of the world's most
>>>> engaging tech sites, SlashDot.org <http://slashdot.org>!
>>>> http://sdm.link/slashdot
>>>> _______________________________________________
>>>> sqlmap-users mailing list
>>>> [email protected]
>>>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>>>>
>>>>
>>>
>>>
>>> --
>>> Miroslav Stampar
>>> http://about.me/stamparm
>>> ------------------------------------------------------------
>>> ------------------
>>> Check out the vibrant tech community on one of the world's most
>>> engaging tech sites, SlashDot.org <http://slashdot.org>!
>>> http://sdm.link/slashdot_______________________________________________
>>> sqlmap-users mailing list
>>> [email protected]
>>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>>>
>>>
>>>
>>
>
> ------------------------------------------------------------
> ------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, SlashDot.org! http://sdm.link/slashdot
> _______________________________________________
> sqlmap-users mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>
>
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
sqlmap-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/sqlmap-users
