I have an asp login form (username & password) that is SQL-injectable when the username is found in the database
For example, if I inserted
-username : foo (foo founded in database)
-password : '.;/;
Then the result is:
Incorrect syntax near ';'. Unclosed quotation mark after the character string ' order by dat desc '.`
Question: In sqlmap I wrote
sqlmap --url="foo.com/login.aspx" --data="username=foo&password=.';.;."
--level=5
But the sqlmap result is: all tested parameters appear to be not injectable.
What is the wrong with my sqlmap statement?