search

projectdiscovery / nuclei

Fast and customizable vulnerability scanner based on simple YAML based DSL.
https://docs.projectdiscovery.io/tools/nuclei
MIT License
19.97k stars 2.45k forks source link

Nuclei is not seeing the SQLI #3455

Closed rootpentesting closed 1 year ago

rootpentesting commented 1 year ago

Greetings, Why is nuclei not being able to detect this simple error based SQLI ? on this acunetix vulnerable webpage, only once it was able for me to detect it. i also tryed both with all templates and only the generic ones.

image

ehsandeep commented 1 year ago

@rootpentesting nuclei's detection works based on the template you are running, public templates are not written to work against acunetix test page, instead, you can use fuzzing-templates for the type of scan you are looking to run.

nuclei -t ~/GitHub/fuzzing-templates/ -u http://testphp.vulnweb.com/listproducts.php?cat=1

                     __     _
   ____  __  _______/ /__  (_)
  / __ \/ / / / ___/ / _ \/ /
 / / / / /_/ / /__/ /  __/ /
/_/ /_/\__,_/\___/_/\___/_/   v2.9.0

        projectdiscovery.io

[INF] Using Nuclei Engine 2.9.0 (latest)
[INF] Using Nuclei Templates 9.4.0 (latest)
[INF] Templates added in last update: 65
[INF] Templates loaded for scan: 17
[INF] Targets loaded for scan: 1
[reflected-xss] [http] [medium] http://testphp.vulnweb.com/listproducts.php?cat=1'"><35041
[sqli-error-based:mysql] [http] [critical] http://testphp.vulnweb.com/listproducts.php?cat=1' [SQL syntax; check the manual that corresponds to your MySQL,Warning: mysql_,check the manual that corresponds to your MySQL server version]