sqlmap unable to find SQL injection vulnerablitity

Question

so i just started up with sqlmap to learn sql injection vulnerability on my application. Here I followed steps as per some tutorials.

So this are the steps which i followed :

1. sqlmap.py -u "http://www.myurl.org/dis/data.php?id=3" --dbs

Console displays :

[11:19:45] [INFO] testing connection to the target URL
[11:19:46] [INFO] testing if the target URL is stable. This can take a couple of
seconds
[11:19:47] [INFO] target URL is stable
[11:19:47] [INFO] testing if GET parameter 'id' is dynamic
[11:19:48] [INFO] confirming that GET parameter 'id' is dynamic
[11:19:48] [WARNING] GET parameter 'id' does not appear dynamic
[11:19:49] [WARNING] heuristic (basic) test shows that GET parameter 'id' might
not be injectable
[11:19:49] [INFO] testing for SQL injection on GET parameter 'id'
[11:19:49] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[11:19:56] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE or HAVING clause
'
[11:19:59] [INFO] testing 'PostgreSQL AND error-based - WHERE or HAVING clause'
[11:20:01] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - WHERE o
r HAVING clause'
[11:20:04] [INFO] testing 'Oracle AND error-based - WHERE or HAVING clause (XMLT
ype)'
[11:20:06] [INFO] testing 'MySQL inline queries'
[11:20:07] [INFO] testing 'PostgreSQL inline queries'
[11:20:07] [INFO] testing 'Microsoft SQL Server/Sybase inline queries'
[11:20:07] [INFO] testing 'Oracle inline queries'
[11:20:08] [INFO] testing 'SQLite inline queries'
[11:20:08] [INFO] testing 'MySQL > 5.0.11 stacked queries'
[11:20:11] [INFO] testing 'PostgreSQL > 8.1 stacked queries'
[11:20:13] [INFO] testing 'Microsoft SQL Server/Sybase stacked queries'
[11:20:58] [WARNING] using unescaped version of the test because of zero knowledge of the back-end DBMS. You can try to explicitly set it using option '--dbms'
[11:21:27] [WARNING] GET parameter 'id' is not injectable
[11:21:27] [CRITICAL] all tested parameters appear to be not injectable. Try to increase '--level'/'--risk' values to perform more tests. Also, you can try to rerun by providing either a valid value for option '--string' (or '--regexp')
[11:21:27] [WARNING] HTTP error codes detected during run:
500 (Internal Server Error) - 5 times

I need to know :

1. Why its not able to get the database ?
2. What does this means '--string' (or '--regexp') ?

Answer 1

Lets try to add --level=3 --risk=3 to you sqlmap command. If you increase the risk and level, then sqlmap tries more clever stuff to find and exploit. It means sqlmap will try to not only visible sql injection potential but also blind stuf..

Again same result you can add * to your vulnerable parameter in order to identify if sqlmap is posting to correct parameter or not

Answer 2

It doesn't appear to be vulnerable, or the server is filtering input in a way that doesn't fix the SQL injection vulnerability, but does throw sqlmap off the scent. You'll probably have to do some work to make sqlmap properly identify the injection. There's an interesting article over at Minded Security about this.

The --string and --regexp options are to do with identifying valid responses from the server that contain result data, and extracting that data. This is called bisection, and it is described in the documentation:

For each HTTP response, by making a comparison between the HTTP response headers/body with the original request, the tool inference the output of the injected statement character by character. Alternatively, the user can provide a string or regular expression to match on True pages. The bisection algorithm implemented in sqlmap to perform this technique is able to fetch each character of the output with a maximum of seven HTTP requests. Where the output is not within the clear-text plain charset, sqlmap will adapt the algorithm with bigger ranges to detect the output.