Author Topic: sqlmap [SOLVED] (Read 33299 times)

berghem · **on:** July 04, 2012, 07:40:02 PM

hi all
I tried to use sqlmap in different test, but nothing result

i tried with
sqlmap --url http://127.0.0.1/dvwa/login.php -f

and obtain

berghem@berghem-PcFisso:/var/www/dvwa/config$ sqlmap --url http://127.0.0.1/dvwa/login.php -f

    sqlmap/0.9 - automatic SQL injection and database takeover tool
    http://sqlmap.sourceforge.net

[*] starting at: 20:37:05

[20:37:05] [INFO] using '/home/berghem/.sqlmap/output/127.0.0.1/session' as session file
[20:37:05] [INFO] testing connection to the target url
[20:37:05] [INFO] testing if the url is stable, wait a few seconds
[20:37:06] [INFO] url is stable
[20:37:06] [CRITICAL] all parameters are not injectable, try to increase --level/--risk values to perform more tests. Rerun without providing the --technique switch. Give it a go with the --text-only switch if the target page has a low percentage of textual content (~10.87% of page content is text)

[*] shutting down at: 20:37:06

i tried with
sqlmap --url http://127.0.0.1/dvwa -f

and obtain

Code: [Select]

[20:38:45] [INFO] testing if the url is stable, wait a few seconds
[20:38:46] [INFO] url is stable
[20:38:46] [INFO] testing if URI parameter '#1*' is dynamic
[20:38:46] [INFO] confirming that URI parameter '#1*' is dynamic
[20:38:46] [INFO] URI parameter '#1*' is dynamic
[20:38:46] [WARNING] heuristic test shows that URI parameter '#1*' might not be injectable
[20:38:46] [INFO] testing sql injection on URI parameter '#1*'
[20:38:46] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[20:38:46] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE or HAVING clause'
[20:38:46] [INFO] testing 'PostgreSQL AND error-based - WHERE or HAVING clause'
[20:38:46] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause'
[20:38:46] [INFO] testing 'Oracle AND error-based - WHERE or HAVING clause (XMLType)'
[20:38:46] [INFO] testing 'MySQL > 5.0.11 stacked queries'
[20:38:46] [INFO] testing 'PostgreSQL > 8.1 stacked queries'
[20:38:46] [INFO] testing 'Microsoft SQL Server/Sybase stacked queries'
[20:38:47] [INFO] testing 'MySQL > 5.0.11 AND time-based blind'
[20:38:47] [INFO] testing 'PostgreSQL > 8.1 AND time-based blind'
[20:38:47] [INFO] testing 'Microsoft SQL Server/Sybase time-based blind'
[20:38:47] [INFO] testing 'Oracle AND time-based blind'
[20:38:47] [INFO] testing 'MySQL UNION query (NULL) - 1 to 10 columns'
[20:38:47] [INFO] testing 'Generic UNION query (NULL) - 1 to 10 columns'
[20:38:47] [WARNING] using unescaped version of the test because of zero knowledge of the back-end DBMS
[20:38:47] [WARNING] URI parameter '#1*' is not injectable
[20:38:47] [CRITICAL] all parameters are not injectable, try to increase --level/--risk values to perform more tests. Rerun without providing the --technique switch. Give it a go with the --text-only switch if the target page has a low percentage of textual content (~10.87% of page content is text)
[20:38:47] [WARNING] HTTP error codes detected during testing:
404 (Not Found) - 135 times

ZEROF · **Reply #1 on:** July 04, 2012, 11:46:59 PM

Hi,

1st you need to check all options and how to use sqlmap tool, start with sqlmap -h then ....

Learn ...http://forum.backbox.org/videos/sqlmap-sql-injection-with-backbox-part-12/

drego85 · **Reply #2 on:** July 06, 2012, 12:28:10 PM

Hello,
find a perfect guide here: http://translate.google.it/translate?hl=it&sl=it&tl=en&u=http%3A%2F%2Fsicurezza.html.it%2Fguide%2Fleggi%2F220%2Fguida-sql-injection-con-sqlmap%2F

In the guide there is also a address of a test server!

berghem · **Reply #3 on:** January 31, 2013, 03:45:00 PM

Hi
I still have problems with sqlmap, I have a VM with dvwa application with security parameter=low

From BB I writed this command

sqlmap -u 'http://192.168.56.102/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit' --cookie='Cookie=security=low; PHPSESSID=g123shj27qt27pf5prctrk0t32' --dbs
and receved this output

Code: [Select]

[*] starting at 15:28:31

[15:28:31] [INFO] testing connection to the target url
[15:28:31] [INFO] heuristics detected web page charset 'None'
sqlmap got a 302 redirect to 'http://192.168.56.102:80/dvwa/login.php'. Do you want to follow? [Y/n] y
[15:42:25] [INFO] testing if the url is stable, wait a few seconds
you provided a HTTP Cookie header value. The target url provided its own cookies within the HTTP Set-Cookie header which intersect with yours. Do you want to merge them in futher requests? [Y/n] y
[15:42:28] [WARNING] GET parameter 'id' does not appear dynamic
[15:42:28] [WARNING] reflective value(s) found and filtering out
[15:42:28] [WARNING] heuristic test shows that GET parameter 'id' might not be injectable
[15:42:28] [INFO] testing for SQL injection on GET parameter 'id'
[15:42:28] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[15:42:28] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE or HAVING clause'
[15:42:28] [INFO] testing 'PostgreSQL AND error-based - WHERE or HAVING clause'
[15:42:28] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause'
[15:42:28] [INFO] testing 'Oracle AND error-based - WHERE or HAVING clause (XMLType)'
[15:42:28] [INFO] testing 'MySQL inline queries'
[15:42:28] [INFO] testing 'PostgreSQL inline queries'
[15:42:28] [INFO] testing 'Microsoft SQL Server/Sybase inline queries'
[15:42:28] [INFO] testing 'Oracle inline queries'
[15:42:28] [INFO] testing 'SQLite inline queries'
[15:42:28] [INFO] testing 'MySQL > 5.0.11 stacked queries'
[15:42:28] [INFO] testing 'PostgreSQL > 8.1 stacked queries'
[15:42:28] [INFO] testing 'Microsoft SQL Server/Sybase stacked queries'
[15:42:28] [INFO] testing 'MySQL > 5.0.11 AND time-based blind'
[15:42:28] [INFO] testing 'PostgreSQL > 8.1 AND time-based blind'
[15:42:29] [INFO] testing 'Microsoft SQL Server/Sybase time-based blind'
[15:42:29] [INFO] testing 'Oracle AND time-based blind'
[15:42:29] [INFO] testing 'MySQL UNION query (NULL) - 1 to 10 columns'
[15:42:29] [INFO] testing 'Generic UNION query (NULL) - 1 to 10 columns'
[15:42:29] [WARNING] using unescaped version of the test because of zero knowledge of the back-end DBMS. You can try to explicitly set it using option '--dbms'
[15:42:30] [WARNING] GET parameter 'id' is not injectable
[15:42:30] [WARNING] GET parameter 'Submit' does not appear dynamic
[15:42:30] [WARNING] heuristic test shows that GET parameter 'Submit' might not be injectable
[15:42:30] [INFO] testing for SQL injection on GET parameter 'Submit'
[15:42:30] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[15:42:30] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE or HAVING clause'
[15:42:30] [INFO] testing 'PostgreSQL AND error-based - WHERE or HAVING clause'
[15:42:30] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause'
[15:42:30] [INFO] testing 'Oracle AND error-based - WHERE or HAVING clause (XMLType)'
[15:42:30] [INFO] testing 'MySQL inline queries'
[15:42:30] [INFO] testing 'PostgreSQL inline queries'
[15:42:30] [INFO] testing 'Microsoft SQL Server/Sybase inline queries'
[15:42:30] [INFO] testing 'Oracle inline queries'
[15:42:30] [INFO] testing 'SQLite inline queries'
[15:42:30] [INFO] testing 'MySQL > 5.0.11 stacked queries'
[15:42:31] [INFO] testing 'PostgreSQL > 8.1 stacked queries'
[15:42:31] [INFO] testing 'Microsoft SQL Server/Sybase stacked queries'
[15:42:31] [INFO] testing 'MySQL > 5.0.11 AND time-based blind'
[15:42:31] [INFO] testing 'PostgreSQL > 8.1 AND time-based blind'
[15:42:31] [INFO] testing 'Microsoft SQL Server/Sybase time-based blind'
[15:42:31] [INFO] testing 'Oracle AND time-based blind'
[15:42:31] [INFO] testing 'MySQL UNION query (NULL) - 1 to 10 columns'
[15:42:31] [INFO] testing 'Generic UNION query (NULL) - 1 to 10 columns'
[15:42:32] [WARNING] GET parameter 'Submit' is not injectable
[15:42:32] [CRITICAL] all tested parameters appear to be not injectable. Try to increase '--level'/'--risk' values to perform more tests. Also, you can try to rerun by providing either a valid value for option '--string' (or '--regexp')

But the id parameter id injectable, why I receved that not injectable?
I tried with --lever 5 but nothing....
Where's my mistake?

TKS

berghem · **Reply #4 on:** February 05, 2013, 02:24:26 PM

Hi all

I solved my problem, but I don't know the origin of the problem

if use sqlmap from backbox menu I have the error of my previous post

if open the shell,
cd /opt/backbox/nmap
python sqlmap.py and write the idenntical comand it works

Author Topic: sqlmap [SOLVED] (Read 33299 times)

berghem

sqlmap [SOLVED]

ZEROF

Re: sqlmap

drego85

Re: sqlmap

berghem

Re: sqlmap

berghem

[SOLVED] Re: sqlmap