stamparm
commented
7 years ago If you have false positives in MsAccess it is because the target behaves differently than expected (most probably because of load). In such cases please use --string (in combination with --flush-session) or similar option.
Also, there is a possibility that you have a false-positive. In such case please rerun with --flush-session.
As of capabilities, sqlmap is able to infer (through brute force) the table and column names, and to dump such content afterwards. As of other capabilities, MsAccess is pretty restricted DBMS (because of its functionality), so don't expect to do anything else than --dump
Hi Crew.
First of all, express my admiration for this useful tool. Now im checking an application (Black Box Test), i have found a SQL injection on the web application, and sqlmap recognize the backend database as an Microsoft Access Database.
Im trying to check the common tables but seems that have some false positives. Installed the same version of sqlmap on different machines, sqlmap detect different tables with deferents columns on the same target. What im doing wrong? wich capabilities have sqlmap on a Access Database?
Thanks for your hard work.
PD: Sorry for my crapy English.