I'm trying to catch SQL Injection attacks from DVWA with sqlmap, I'm using the most simple option it provides, but it's strange that sometimes it works and other it doesn't, showing a message similar to:
...parameter 'X' does not seem to be injectable...
I have also tried with level and risk options with no success. Below is the output.
The command I'm using is:
$ sqlmap -u "http://localhost:82/dvwa/vulnerabilities/sqli/?id=1"
[13:01:30] [INFO] testing connection to the target URL
sqlmap got a 302 redirect to 'http://localhost:82/dvwa/login.php'. Do you want to follow? [Y/n] y
[13:01:32] [INFO] testing if the target URL content is stable
[13:01:32] [WARNING] GET parameter 'id' does not appear to be dynamic
[13:01:32] [WARNING] heuristic (basic) test shows that GET parameter 'id' might not be injectable
[13:01:32] [INFO] testing for SQL injection on GET parameter 'id'
[13:01:32] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[13:01:33] [INFO] testing 'MySQL >= 5.0 boolean-based blind - Parameter replace'
[13:01:33] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)'
[13:01:34] [INFO] testing 'PostgreSQL AND error-based - WHERE or HAVING clause'
[13:01:34] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause (IN)'
[13:01:34] [INFO] testing 'Oracle AND error-based - WHERE or HAVING clause (XMLType)'
[13:01:35] [INFO] testing 'MySQL >= 5.0 error-based - Parameter replace (FLOOR)'
[13:01:35] [INFO] testing 'MySQL inline queries'
[13:01:35] [INFO] testing 'PostgreSQL inline queries'
[13:01:35] [INFO] testing 'Microsoft SQL Server/Sybase inline queries'
[13:01:35] [INFO] testing 'PostgreSQL > 8.1 stacked queries (comment)'
[13:01:35] [INFO] testing 'Microsoft SQL Server/Sybase stacked queries (comment)'
[13:01:36] [INFO] testing 'Oracle stacked queries (DBMS_PIPE.RECEIVE_MESSAGE - comment)'
[13:01:36] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind'
[13:01:36] [INFO] testing 'PostgreSQL > 8.1 AND time-based blind'
[13:01:37] [INFO] testing 'Microsoft SQL Server/Sybase time-based blind (IF)'
[13:01:37] [INFO] testing 'Oracle AND time-based blind'
[13:01:38] [INFO] testing 'Generic UNION query (NULL) - 1 to 10 columns'
[13:01:42] [WARNING] GET parameter 'id' does not seem to be injectable
[13:01:42] [CRITICAL] all tested parameters do not appear to be injectable. Try to increase values for '--level'/'--risk' options if you wish to perform more tests. If you suspect that there is some kind of protection mechanism involved (e.g. WAF) maybe you could try to use option '--tamper' (e.g. '--tamper=space2comment')
[*] shutting down at 13:01:42
