Closed ghost closed 3 years ago
Clearly exploitable
<- give me a break. This issue does not have anything to do with "Unable to detect SQLi when code uses double quotes". Your payload is "clearly" not standard/common " union SELECT sleep(1000000), "a
Closed this down because clearly there is no issue with the sqlmap here
Describe the bug Does sqlmap have the ability to exploit sqli vulnerabilities using " instead of '?
For example, I know there is a mysql sqli vulnerability at http://natas15.natas.labs.overthewire.org/index.php (this is a pen testing lab/training site specifically for trying to find and exploit vulnerabilities) using:
" union SELECT sleep(1000000), "a
but when I try to use sqlmap to speed up exploitation/exfiltration, sqlmap doesn't see the sqli vuln.
If sqlmap already does this, then any idea why the tool doesn't spot the sqli at that location when I know it's there. Anyway, if sqlmap isn't trying " in it's injection attempts, possibly make that an option? like --quote-type where default is '
To Reproduce
username=put+sqli+here