IT Security Stack Exchange
IT Security Stack Exchange

Questions tagged [sqlmap]

sqlmap is an open source penetration testing tool that automates the process of detecting and exploiting SQL injection flaws and taking over of database servers.

sqlmap is an open source penetration testing tool that automates the process of detecting and exploiting SQL injection flaws and taking over of database servers.

152 questions
1
vote
1 answer

How to test post login pages for sql injection using sqlmap

I have an application in which post login a page is vulnerable to SQL injection. Post login from the browser I captured the request via burp of that vulnerable page and fed the data to sqlmap. But I'm getting the following error. [15:45:24] [INFO]…
user1289569
  • 53
  • 1
  • 4
1
vote
2 answers

MariaDB SQL Injection vulnerability?

I'm testing for SQL Injection on a website. Basically, I'm trying it in the following url: http://example.org/webpage/* where in place of the * the payload should be injected. When I try to put in there this: ' OR 1=1/*, the url will be so:…
XRichardX
  • 11
  • 1
  • 1
  • 2
1
vote
1 answer

How to get Sqlmap to detect insertion point with sleep payload?

I have a server which seems to be vulnerable to SQL injection with the following payload detected by BurpSuite: param=value,(select*from(select(sleep(10)))a) The application takes twice the time defined in sleep to respond (sleep 10 returns a…
Omacron
  • 11
  • 2
1
vote
1 answer

techniques of sql injection (boolean based, UNION query-based, stacked queries and time-based blind)

I would like to know about these 2 SQL Injection techniques. I completed my studies in SQL databases and my teacher told me about SQL injection, then I became interested in this topic. I discovered a tool that does this automatically, but I only…
d. fritoti
  • 63
  • 6
1
vote
1 answer

someone trying to SQLi server using sqlmap

Someone is trying to SQLi my domain using sqlmap. I'm getting a lot of errors from mysql. My server access log shows: - - HTTP/1.1" 200 10559 "-" "sqlmap/1.0.4.0#dev (http://sqlmap.org)" I have tried blocking the IP but the IP keeps…
adminz
  • 135
  • 1
  • 4
1
vote
4 answers

sqlmap injection point in POST data

I am currently doing a blackbox test on a web application for training purposes. It's a personal project. In addition to my manual testing process, I used an automated scanner for detecting obvious vulnerabilities. While this tool only found some…
DucatiNerd
  • 125
  • 1
  • 1
  • 4
1
vote
2 answers

using the CO2-Extension within Burp for sql injection

I am using the free version of Burp Suite and the CO2-Extension for sql injection attacks. Using the extension offers you two possible attacking ways: Either you copy the command which is generated by clicking on the options available and paste…
Nazar Medeiros
  • 161
  • 8
1
vote
0 answers

SQLMAP - POST JSON data as body

Hi I'm trying to do a SQL injection in a login form. With BurpSuite I intercept the request: POST /xxxx/web/Login HTTP/1.1 Host: 10.0.0.70:42020 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:49.0) Gecko/20100101 Firefox/49.0 Accept:…
ronIDX
  • 111
  • 1
  • 3
1
vote
0 answers

How to use SQLMap/Burp to perform SQL injection on a form that is behind another form

I have a form that takes in an IP address and loads that page (Acts as a Web Application Proxy). The page that gets loaded has an SQL injection vulnerability. How can I use SQLMap or BURP to exploit this? Note: I cant use the --proxy option since…
user1004985
  • 173
  • 5
1
vote
1 answer

Using sqlmap to find password hashes

I'm learning SQL-injection (and SQL in the first place) by playing a CTF. I'm using sqlmap and have for my target IP so far found: Uses: MySQL, PHP 2 databases: information_schema users 1 table in users database: user if I dump the user table in…
Austin
  • 139
  • 1
  • 6
1
vote
1 answer

Sqlmap tested parameters might not be injectable

When I try to inject something, after testing all parameters with --level=3 --risk=3, this shows up. Please tell me what to do, and where I'm wrong. This is the full command: sqlmap -u "www.mysite.com/index.php?id=1*" --level=3 --risk=3…
Alexander
  • 11
  • 1
  • 1
  • 2
1
vote
0 answers

sqlmap automatically trims response

When i try to dump a database with --dump-all I first get [WARNING] large response detected. This could take a while then [WARNING] too large response detected. Automatically trimming it How can I make sqlmap dump the entire table without…
Shah
  • 11
  • 2
1
vote
0 answers

what is this injection query looks like?

what might be the mysql query if mysql injected it with '# only for username and password blank logged in as admin how to get mysql info using this injection ?
user126194
  • 11
  • 1
1
vote
1 answer

Scrambled database name / unable to retrieve the number of databases with SQLMap

I have the results for sqlmap: ./sqlmap.py -u "http://REDACTED/browse?destination_id=12" --identify-waf --random-agent -v 3 --dbs GET parameter 'destination_id' is vulnerable. Do you want to keep testing the others (if any)? [y/N] n sqlmap…
Keith
  • 11
  • 1
  • 2
1
vote
0 answers

The database sqlmap is trying to read is too big. I time out every time

So I found the database and then the table and the columns and I'm trying to dump the column data but it is too big. It keep taking ~2 mins then timing out.
Michael
  • 11
  • 2
1 2 3
10 11