Penetration Testing mailing list archives
Re: SQLMAP
From: "Anthony Cicalla" <anthony.cicalla () gmail com>
Date: Wed, 19 Nov 2008 10:49:47 -0800
I've had some issues with that, that he is experiencing. I had to play with the url in the conf file a but and also when I executed the command to run sqlmap. Moving around and even removing some parameters from the query if there where more than one. Most of the time I have gotten it to work, sometimes it hasn't. Something that should be added is filter evasion for sqlmap. I have a site that could be mapped but they filter sql statement words like union. So to get passed it I just use ununionion and it strips out the first union leaving union behind. Sqlmap doesn't work for this site. But it's worked for plenty of others for me. Sincerely, Anthony Cicalla, Research Scientist McafeeSecure WebSecurity Group On Tue, Nov 18, 2008 at 1:47 PM, Taras P. Ivashchenko <naplanetu () gmail com> wrote:
May be you are simply behind the proxy? On Sun, 2008-11-09 at 16:34 -0600, Michael Condon wrote:I've tried it on both Windows and BackTrack. With sqlmap -u http://www.somepage.com/logon.php?email=1, I get the response: unable to connect to the target url or proxy ----- Original Message ----- From: "Bojan Zdrnja" <bojan.zdrnja () gmail com> To: "Michael Condon" <admin () singulartechnologysolutions com> Cc: <pen-test () securityfocus com> Sent: Friday, November 07, 2008 3:50 AM Subject: Re: SQLMAPMichael, On Thu, Nov 6, 2008 at 3:35 AM, Michael Condon <admin () singulartechnologysolutions com> wrote:When I run a simple sqlmap command (which is shown similarly in their doc): python sqlmap.py -u http://www.domain.com/page.php -v 2 I receive the following error: all testable parameters are not present within the GET, POST and Cookie parameters. What am I misunderstanding/doing wrong?You have to give it a parameter to try SQL injection on. So, if the parameter that the page.php script accepts is "id", the command would look like this: $ python sqlmap.py -u "http://www.domain.com/page.php?id=1" Sqlmap will automatically try to inject SQL statements into the "id" parameter. Cheers, Bojan ------------------------------------------------------------------------ This list is sponsored by: Cenzic Security Trends Report from Cenzic Stay Ahead of the Hacker Curve! Get the latest Q2 2008 Trends Report now www.cenzic.com/landing/trends-report ------------------------------------------------------------------------------------------------------------------------------------------------ This list is sponsored by: Cenzic Security Trends Report from Cenzic Stay Ahead of the Hacker Curve! Get the latest Q2 2008 Trends Report now www.cenzic.com/landing/trends-report -------------------------------------------------------------------------- Тарас Иващенко (Taras Ivashchenko), OSCP ---- "Software is like sex: it's better when it's free." - Linus Torvalds
-- Anthony,
Current thread:
- SQLMAP Michael Condon (Nov 06)
- Re: SQLMAP Anthony Cicalla (Nov 06)
- RE: SQLMAP Marvin Simkin (Nov 09)
- Re: SQLMAP Michael Condon (Nov 09)
- RE: SQLMAP Marvin Simkin (Nov 09)
- Re: SQLMAP Bojan Zdrnja (Nov 09)
- Re: SQLMAP Michael Condon (Nov 09)
- Re: SQLMAP Taras P. Ivashchenko (Nov 18)
- Re: SQLMAP Anthony Cicalla (Nov 19)
- Re: SQLMAP Michael Condon (Nov 09)
- Re: SQLMAP Anthony Cicalla (Nov 06)