Results 1 to 2 of 2

Thread: sqlmap not detecting injectable parameter

  1. #1
    Just burned his ISO
    Join Date
    Mar 2012
    Posts
    8

    Post sqlmap not detecting injectable parameter

    I was going through the how-to's forum, and g0tmi1k's posts about VulnImage led me to experiment with sqlmap. I'm using Backtrack 5R2. I'm not sure what I'm doing wrong.

    I created a page with a parameter that is injectable (i.e. no sanitation). The php based page connects to a MySQL DB, with 5 columns. The actual php select statement is:
    Code:
    $name_bad = stripslashes($_POST['rs_string']); 
    $query_bad = "SELECT TestName, Price FROM pricelist WHERE testname = '$name_bad'";
    (FYI: The stripslashes is in there because the version of php I'm testing on has magic quotes turned on. No login required for this page either.)

    If I input, manually,
    Code:
    ' or 1; --
    then the query spits out every result in the database as it should, since the query is now
    Code:
    SELECT TestName, Price FROM pricelist WHERE testname = '' or 1; -- '
    Classic injection - This parameter is vulnerable! (FYI, there is space after the second dash and it is required or the query errors out.)

    I've gone further, and used the order by to see how many columns the select returns (yes, I know it's two, but I'm pretending I don't). So
    Code:
    ' or 1 order by 1; -- '
    orders by testname, and by changing "by 1" to "by 2" I can order by price. If I do "by 3", I get an error as expected since there are only two columns return. Again, classic injection. This page IS vulnerable.

    Now I fire up burp and browse the page, enter a testname or two so it's in the log (this is described in g0tmi1k's posts). Then I fire up sqlmap with the command:
    Code:
    ./sqlmap -l /root/burp.log --banner --current-user --current-db --is-dba --dbms=MySQL
    After testing the correct page, it tells me rs_string is not injectable. But is clearly is! I can do it by hand.

    What am I doing wrong?

  2. #2
    Just burned his ISO
    Join Date
    Mar 2012
    Posts
    8

    Default Re: sqlmap not detecting injectable parameter

    Solved. Backtrack has an older version of sqlmap. Updating to the latest version (r5018) via svn and it works perfectly.

Similar Threads

  1. SQLmap - UNION Injectable - error | help?
    By Eatme in forum BackTrack 5 General Topics
    Replies: 5
    Last Post: 09-12-2011, 01:35 AM
  2. sqlmap
    By offroadaz in forum Beginners Forum
    Replies: 0
    Last Post: 04-02-2011, 10:44 PM
  3. Help with SQLMap
    By Dudeman02379 in forum Experts Forum
    Replies: 0
    Last Post: 01-16-2011, 06:43 AM
  4. Replies: 3
    Last Post: 11-20-2009, 08:53 AM

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •