I was going through the how-to's forum, and g0tmi1k's posts about VulnImage led me to experiment with sqlmap. I'm using Backtrack 5R2. I'm not sure what I'm doing wrong.
I created a page with a parameter that is injectable (i.e. no sanitation). The php based page connects to a MySQL DB, with 5 columns. The actual php select statement is:
(FYI: The stripslashes is in there because the version of php I'm testing on has magic quotes turned on. No login required for this page either.)
$name_bad = stripslashes($_POST['rs_string']);
$query_bad = "SELECT TestName, Price FROM pricelist WHERE testname = '$name_bad'";
If I input, manually, then the query spits out every result in the database as it should, since the query is now
Classic injection - This parameter is vulnerable! (FYI, there is space after the second dash and it is required or the query errors out.)
SELECT TestName, Price FROM pricelist WHERE testname = '' or 1; -- '
I've gone further, and used the order by to see how many columns the select returns (yes, I know it's two, but I'm pretending I don't). So
orders by testname, and by changing "by 1" to "by 2" I can order by price. If I do "by 3", I get an error as expected since there are only two columns return. Again, classic injection. This page IS vulnerable.
' or 1 order by 1; -- '
Now I fire up burp and browse the page, enter a testname or two so it's in the log (this is described in g0tmi1k's posts). Then I fire up sqlmap with the command:
After testing the correct page, it tells me rs_string is not injectable. But is clearly is! I can do it by hand.
./sqlmap -l /root/burp.log --banner --current-user --current-db --is-dba --dbms=MySQL
What am I doing wrong?