I was reading about the 'risk' param for sqlmap, and the docs contain information, that risk 3 level can update tables. What does it mean? As far as I understand, this can happen either in the app update injection or if the app's logic updates some table. Am I right? Or it is possible somehow to update tables accidentally even in select query while using sqlmap? Thanks.
Asked
Active
Viewed 504 times
1 Answers
1
Let's say there's an injection possibility on an action that results in the deletion of a single result.
DELETE FROM users WHERE userId=1;
A risk level of 1 or 2 is likely to result in a single user being deleted.
Risk level 3 uses OR which can end up effecting many more rows than intended.
DELETE FROM users WHERE userId=1 OR 1=1;
It's not that risk 1 & 2 don't have the possibility of deleting or updating database records, rather their impact is likely limited in scope; while risk 3 is more likely to destroy (or make your presence known by disruption) an application before you can effectively exploit it.
Daisetsu
- 5,110
- 1
- 14
- 24
-
As usual, the devil is in the detail.. Thank you very much for explanation – Avit Mar 27 '19 at 11:55