@Miroslav. What UA does it mean?
@Brandon tried with sqlmap -u "127.0.0.1/test/Login.php"
--data="user=lol&password=lol" --dbs --suffix="#" -v 3 --tamper=space2plus
and didn't work.
2016-12-04 16:50 GMT+01:00 Miroslav Stampar <[email protected]>:
> I am kind of confused. You said that it's your application, right? Why
> would your application care about UA. Also, you've sent source code which
> hasn't looked into UA
>
> Bye
>
> On Dec 4, 2016 16:47, "Daniele Bianchin" <[email protected]> wrote:
>
>> Ok, i made a test with BurpSuite as Brandon said.
>> I tried to inject lol'UNION ALL SELECT NULL,NULL# manually and it worked.
>> The same payload with sqlmap not.
>>
>> This is what BurpSuite shows: http://pastebin.com/6ifKNX9k
>>
>> the first is made manually with firefox the second with sqlmap...
>> should i change user-agent in sqlmap?
>>
>> 2016-12-04 16:29 GMT+01:00 Daniele Bianchin <[email protected]>:
>>
>>> Ok, i made a test with BurpSuite as Brandon said.
>>> I tried to inject lol'UNION ALL SELECT NULL,NULL# manually and it worked.
>>> The same payload with sqlmap not.
>>>
>>> This is what BurpSuite shows: http://pastebin.com/6ifKNX9k
>>>
>>> the first is made manually with firefox the second with sqlmap...
>>> should i change user-agent in sqlmap?
>>>
>>> 2016-12-04 15:39 GMT+01:00 Brandon Perry <[email protected]>:
>>>
>>>> You can add —proxy and make sqlmap pass all requests through burpsuite
>>>> or another proxy so you can see what the difference is between the requests
>>>> sqlmap creates and the ones you make by hand are.
>>>>
>>>>
>>>> On Dec 4, 2016, at 8:27 AM, Miroslav Stampar <
>>>> [email protected]> wrote:
>>>>
>>>> This is a straigthforward case. You are messing something up.
>>>>
>>>> Use username=foobar&password=foobar in POST data. Don't put already
>>>> SQLi payload anywhere. Use --level=3 --risk=3
>>>>
>>>> As said, you are doing something really really wrong here.
>>>>
>>>> Bye
>>>>
>>>> On Sun, Dec 4, 2016 at 3:06 PM, Daniele Bianchin <[email protected]>
>>>> wrote:
>>>>
>>>>> Hi!
>>>>> I have an issue with sqlmap.
>>>>> I created my own fake login in order to test blind sql injection but
>>>>> everytime i make a test sqlmap says it isn't exploitable.
>>>>> I tried to add a suffix, set level to 5, set risk to 3, set not-string
>>>>> option but sqlmap still not work with it.
>>>>> The login source is: http://pastebin.com/xzKZJNB1
>>>>>
>>>>> I tried to inject some payloads manually such as ' OR 1=1#, ' UNION
>>>>> ALL SELECT NULL;NULL #, etc... and they work.
>>>>> What should i do?
>>>>>
>>>>> Thanks in advance!
>>>>>
>>>>>
>>>>> Daniele.
>>>>>
>>>>> ------------------------------------------------------------
>>>>> ------------------
>>>>> Check out the vibrant tech community on one of the world's most
>>>>> engaging tech sites, SlashDot.org <http://slashdot.org>!
>>>>> http://sdm.link/slashdot
>>>>> _______________________________________________
>>>>> sqlmap-users mailing list
>>>>> [email protected]
>>>>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>>>>>
>>>>>
>>>>
>>>>
>>>> --
>>>> Miroslav Stampar
>>>> http://about.me/stamparm
>>>> ------------------------------------------------------------
>>>> ------------------
>>>> Check out the vibrant tech community on one of the world's most
>>>> engaging tech sites, SlashDot.org <http://slashdot.org>!
>>>> http://sdm.link/slashdot_______________________________________________
>>>> sqlmap-users mailing list
>>>> [email protected]
>>>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>>>>
>>>>
>>>>
>>>
>>
>> ------------------------------------------------------------
>> ------------------
>> Check out the vibrant tech community on one of the world's most
>> engaging tech sites, SlashDot.org! http://sdm.link/slashdot
>> _______________________________________________
>> sqlmap-users mailing list
>> [email protected]
>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>>
>>
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
sqlmap-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/sqlmap-users
