Could anyone help me understand why this did not find an exploit? Looking through Help a little it seems that it is a ‘simple’ injection exploiting the get method in the URL.
EDIT: SQLMap returns :
[WARNING] URI parameter ‘#1*’ does not seem to be injectable
[CRITICAL] all tested parameters do not appear to be injectable. Try to increase values for ‘–level’/‘–risk’ options if you wish to perform more tests. If you suspect that there is some kind of protection mechanism involved (e.g. WAF) maybe you could try to use option ‘–tamper’ (e.g. ‘–tamper=space2comment’) and/or switch ‘–random-agent’
Okay, the article helped me a lot in understanding how SQLMap works. I already used it on some random sites to try and get to know it.
Most of these tryouts worked just fine, but i still cant get it to crack the Level.
I solved it by hand, so its no big deal, but I’d really like to understand why it did not work here.
Basically, my Input stayed the same, cause it worked really well on other sites and did not seem to be deeply flawed. I just played around with verbosity, risk, and level settings but nothing worked. It also seems that defendtheweb is not blocking any of the requests made, so maybe somebody can point me in the right direction to
what i am overlooking plz
I’ve never used SQLMap but, maybe the HTTP headers? DtW requires the PHP Session Id(sent with request automatically if using a browser) each time you want to view the level(s). Check if there’s a flag to specify the required headers.
You must be logged in to reply to this discussion.
1 of 5