Author Topic: sqlmap [SOLVED]  (Read 29941 times)

berghem

  • Jr. Member
  • **
  • Posts: 97
    • View Profile
    • http://lorenzistefano.com
on: July 04, 2012, 07:40:02 PM
hi all
  I tried to use sqlmap in different test, but nothing result  ???

i tried with
sqlmap --url http://127.0.0.1/dvwa/login.php -f

and obtain
Code: [Select]
berghem@berghem-PcFisso:/var/www/dvwa/config$ sqlmap --url http://127.0.0.1/dvwa/login.php -f

    sqlmap/0.9 - automatic SQL injection and database takeover tool
    http://sqlmap.sourceforge.net

[*] starting at: 20:37:05

[20:37:05] [INFO] using '/home/berghem/.sqlmap/output/127.0.0.1/session' as session file
[20:37:05] [INFO] testing connection to the target url
[20:37:05] [INFO] testing if the url is stable, wait a few seconds
[20:37:06] [INFO] url is stable
[20:37:06] [CRITICAL] all parameters are not injectable, try to increase --level/--risk values to perform more tests. Rerun without providing the --technique switch. Give it a go with the --text-only switch if the target page has a low percentage of textual content (~10.87% of page content is text)

[*] shutting down at: 20:37:06

i tried with
sqlmap --url http://127.0.0.1/dvwa -f

and obtain
Code: [Select]
[20:38:45] [INFO] testing if the url is stable, wait a few seconds
[20:38:46] [INFO] url is stable
[20:38:46] [INFO] testing if URI parameter '#1*' is dynamic
[20:38:46] [INFO] confirming that URI parameter '#1*' is dynamic
[20:38:46] [INFO] URI parameter '#1*' is dynamic
[20:38:46] [WARNING] heuristic test shows that URI parameter '#1*' might not be injectable
[20:38:46] [INFO] testing sql injection on URI parameter '#1*'
[20:38:46] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[20:38:46] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE or HAVING clause'
[20:38:46] [INFO] testing 'PostgreSQL AND error-based - WHERE or HAVING clause'
[20:38:46] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause'
[20:38:46] [INFO] testing 'Oracle AND error-based - WHERE or HAVING clause (XMLType)'
[20:38:46] [INFO] testing 'MySQL > 5.0.11 stacked queries'
[20:38:46] [INFO] testing 'PostgreSQL > 8.1 stacked queries'
[20:38:46] [INFO] testing 'Microsoft SQL Server/Sybase stacked queries'
[20:38:47] [INFO] testing 'MySQL > 5.0.11 AND time-based blind'
[20:38:47] [INFO] testing 'PostgreSQL > 8.1 AND time-based blind'
[20:38:47] [INFO] testing 'Microsoft SQL Server/Sybase time-based blind'
[20:38:47] [INFO] testing 'Oracle AND time-based blind'
[20:38:47] [INFO] testing 'MySQL UNION query (NULL) - 1 to 10 columns'
[20:38:47] [INFO] testing 'Generic UNION query (NULL) - 1 to 10 columns'
[20:38:47] [WARNING] using unescaped version of the test because of zero knowledge of the back-end DBMS
[20:38:47] [WARNING] URI parameter '#1*' is not injectable
[20:38:47] [CRITICAL] all parameters are not injectable, try to increase --level/--risk values to perform more tests. Rerun without providing the --technique switch. Give it a go with the --text-only switch if the target page has a low percentage of textual content (~10.87% of page content is text)
[20:38:47] [WARNING] HTTP error codes detected during testing:
404 (Not Found) - 135 times

« Last Edit: February 05, 2013, 04:42:53 PM by raffaele »



ZEROF

  • Hero Member
  • *****
  • Posts: 1245
    • View Profile
    • Pen Tester
Reply #1 on: July 04, 2012, 11:46:59 PM
Hi,

1st you need to check all options and how to use sqlmap tool, start with sqlmap -h then ....

Learn ...http://forum.backbox.org/videos/sqlmap-sql-injection-with-backbox-part-12/
« Last Edit: July 05, 2012, 11:34:22 AM by ZEROF »


Don't ask, read : http://wiki.backbox.org
or just run sudo rm -rf /*


drego85

  • Global Moderator
  • Full Member
  • *****
  • Posts: 128
    • View Profile
    • Andrea Draghetti
Reply #2 on: July 06, 2012, 12:28:10 PM

Andrea Draghetti
Personal Blog


berghem

  • Jr. Member
  • **
  • Posts: 97
    • View Profile
    • http://lorenzistefano.com
Reply #3 on: January 31, 2013, 03:45:00 PM
Hi
I still have problems with sqlmap, I have a VM with dvwa application with security parameter=low

From BB I writed this command

 sqlmap -u 'http://192.168.56.102/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit'  --cookie='Cookie=security=low; PHPSESSID=g123shj27qt27pf5prctrk0t32' --dbs
and receved this output

Code: [Select]
[*] starting at 15:28:31

[15:28:31] [INFO] testing connection to the target url
[15:28:31] [INFO] heuristics detected web page charset 'None'
sqlmap got a 302 redirect to 'http://192.168.56.102:80/dvwa/login.php'. Do you want to follow? [Y/n] y
[15:42:25] [INFO] testing if the url is stable, wait a few seconds
you provided a HTTP Cookie header value. The target url provided its own cookies within the HTTP Set-Cookie header which intersect with yours. Do you want to merge them in futher requests? [Y/n] y
[15:42:28] [WARNING] GET parameter 'id' does not appear dynamic
[15:42:28] [WARNING] reflective value(s) found and filtering out
[15:42:28] [WARNING] heuristic test shows that GET parameter 'id' might not be injectable
[15:42:28] [INFO] testing for SQL injection on GET parameter 'id'
[15:42:28] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[15:42:28] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE or HAVING clause'
[15:42:28] [INFO] testing 'PostgreSQL AND error-based - WHERE or HAVING clause'
[15:42:28] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause'
[15:42:28] [INFO] testing 'Oracle AND error-based - WHERE or HAVING clause (XMLType)'
[15:42:28] [INFO] testing 'MySQL inline queries'
[15:42:28] [INFO] testing 'PostgreSQL inline queries'
[15:42:28] [INFO] testing 'Microsoft SQL Server/Sybase inline queries'
[15:42:28] [INFO] testing 'Oracle inline queries'
[15:42:28] [INFO] testing 'SQLite inline queries'
[15:42:28] [INFO] testing 'MySQL > 5.0.11 stacked queries'
[15:42:28] [INFO] testing 'PostgreSQL > 8.1 stacked queries'
[15:42:28] [INFO] testing 'Microsoft SQL Server/Sybase stacked queries'
[15:42:28] [INFO] testing 'MySQL > 5.0.11 AND time-based blind'
[15:42:28] [INFO] testing 'PostgreSQL > 8.1 AND time-based blind'
[15:42:29] [INFO] testing 'Microsoft SQL Server/Sybase time-based blind'
[15:42:29] [INFO] testing 'Oracle AND time-based blind'
[15:42:29] [INFO] testing 'MySQL UNION query (NULL) - 1 to 10 columns'
[15:42:29] [INFO] testing 'Generic UNION query (NULL) - 1 to 10 columns'
[15:42:29] [WARNING] using unescaped version of the test because of zero knowledge of the back-end DBMS. You can try to explicitly set it using option '--dbms'
[15:42:30] [WARNING] GET parameter 'id' is not injectable
[15:42:30] [WARNING] GET parameter 'Submit' does not appear dynamic
[15:42:30] [WARNING] heuristic test shows that GET parameter 'Submit' might not be injectable
[15:42:30] [INFO] testing for SQL injection on GET parameter 'Submit'
[15:42:30] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[15:42:30] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE or HAVING clause'
[15:42:30] [INFO] testing 'PostgreSQL AND error-based - WHERE or HAVING clause'
[15:42:30] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause'
[15:42:30] [INFO] testing 'Oracle AND error-based - WHERE or HAVING clause (XMLType)'
[15:42:30] [INFO] testing 'MySQL inline queries'
[15:42:30] [INFO] testing 'PostgreSQL inline queries'
[15:42:30] [INFO] testing 'Microsoft SQL Server/Sybase inline queries'
[15:42:30] [INFO] testing 'Oracle inline queries'
[15:42:30] [INFO] testing 'SQLite inline queries'
[15:42:30] [INFO] testing 'MySQL > 5.0.11 stacked queries'
[15:42:31] [INFO] testing 'PostgreSQL > 8.1 stacked queries'
[15:42:31] [INFO] testing 'Microsoft SQL Server/Sybase stacked queries'
[15:42:31] [INFO] testing 'MySQL > 5.0.11 AND time-based blind'
[15:42:31] [INFO] testing 'PostgreSQL > 8.1 AND time-based blind'
[15:42:31] [INFO] testing 'Microsoft SQL Server/Sybase time-based blind'
[15:42:31] [INFO] testing 'Oracle AND time-based blind'
[15:42:31] [INFO] testing 'MySQL UNION query (NULL) - 1 to 10 columns'
[15:42:31] [INFO] testing 'Generic UNION query (NULL) - 1 to 10 columns'
[15:42:32] [WARNING] GET parameter 'Submit' is not injectable
[15:42:32] [CRITICAL] all tested parameters appear to be not injectable. Try to increase '--level'/'--risk' values to perform more tests. Also, you can try to rerun by providing either a valid value for option '--string' (or '--regexp')

But the id parameter id injectable, why I receved that not injectable?
I tried with --lever 5 but nothing....
Where's my mistake?


TKS
« Last Edit: January 31, 2013, 03:50:43 PM by berghem »



berghem

  • Jr. Member
  • **
  • Posts: 97
    • View Profile
    • http://lorenzistefano.com
Reply #4 on: February 05, 2013, 02:24:26 PM
Hi all

I solved my problem, but I don't know the origin of the problem

if use sqlmap from backbox menu I have the error of my previous post

if open the shell,
cd /opt/backbox/nmap
python sqlmap.py and write the idenntical comand it works