sqlmap login post problem

Question

I have an asp login form (username & password) that is SQL-injectable when the username is found in the database

For example, if I inserted

-username : foo   (foo founded in database)

-password : '.;/;

Then the result is:

Incorrect syntax near ';'. Unclosed quotation mark after the character string ' order by dat desc '.`

Question: In sqlmap I wrote

sqlmap --url="foo.com/login.aspx" --data="username=foo&password=.';.;."
--level=5

But the sqlmap result is: all tested parameters appear to be not injectable.

What is the wrong with my sqlmap statement?

you are trying to inject it while injecting? just do this... sqlmap --url="foo.com/login.aspx" --data="username=foo&password=bar" --level=5 — TheHidden, Jul 25 '16 at 17:12

score 1 · Answer 1 · answered Jul 26 '16 at 11:51

1

That you can generate an error doesn't necessarily mean you can exploit it. Did you try something like

bad' or '1' = '1

Can you bypass the login?

answered Jul 26 '16 at 11:51

kaidentity

i have used ,but doesn't work – Mortada Jafar Jul 26 '16 at 12:05
1

Can you share the asp code with us? Maybe the code is not injectable the way you expect it to be. – kaidentity Jul 26 '16 at 13:08

1 Answers1