I was going through the how-to's forum, and g0tmi1k's posts about VulnImage led me to experiment with sqlmap. I'm using Backtrack 5R2. I'm not sure what I'm doing wrong.
I created a page with a parameter that is injectable (i.e. no sanitation). The php based page connects to a MySQL DB, with 5 columns. The actual php select statement is:
Code:
$name_bad = stripslashes($_POST['rs_string']);
$query_bad = "SELECT TestName, Price FROM pricelist WHERE testname = '$name_bad'";
(FYI: The stripslashes is in there because the version of php I'm testing on has magic quotes turned on. No login required for this page either.)
If I input, manually, then the query spits out every result in the database as it should, since the query is now
Code:
SELECT TestName, Price FROM pricelist WHERE testname = '' or 1; -- '
Classic injection - This parameter is vulnerable! (FYI, there is space after the second dash and it is required or the query errors out.)
I've gone further, and used the order by to see how many columns the select returns (yes, I know it's two, but I'm pretending I don't). So
Code:
' or 1 order by 1; -- '
orders by testname, and by changing "by 1" to "by 2" I can order by price. If I do "by 3", I get an error as expected since there are only two columns return. Again, classic injection. This page IS vulnerable.
Now I fire up burp and browse the page, enter a testname or two so it's in the log (this is described in g0tmi1k's posts). Then I fire up sqlmap with the command:
Code:
./sqlmap -l /root/burp.log --banner --current-user --current-db --is-dba --dbms=MySQL
After testing the correct page, it tells me rs_string is not injectable. But is clearly is! I can do it by hand.
What am I doing wrong?
sqlmap not detecting injectable parameter
Posting Permissions
