Scriptkiddy problems

Algebraba
a week ago | edited a week ago

0

So I kind of lazy and was trying to do the minimalistic script kiddy version using SQLMap. The only problem: I am too dumb to use scripts correctly and it didn’t work.

My shell code was: $ python sqlmap.py -u “https://defendtheweb.net/playground/sqli2?q=A*” –batch -a –level=3 –risk=3

Could anyone help me understand why this did not find an exploit? Looking through Help a little it seems that it is a ‘simple’ injection exploiting the get method in the URL.

EDIT: SQLMap returns :
[WARNING] URI parameter ‘#1*’ does not seem to be injectable
[CRITICAL] all tested parameters do not appear to be injectable. Try to increase values for ‘–level’/‘–risk’ options if you wish to perform more tests. If you suspect that there is some kind of protection mechanism involved (e.g. WAF) maybe you could try to use option ‘–tamper’ (e.g. ‘–tamper=space2comment’) and/or switch ‘–random-agent’

4replies
2voices
56views
kamozey
a week ago

0

Have you tried reading the SQLMap article first ? SQLMAP - Tutorial to your first SQL Injection tool

Algebraba
a week ago

0

Nice, thank you!
Didn’t think to look for that here on the site.

Algebraba
6 days ago

0

Okay, the article helped me a lot in understanding how SQLMap works. I already used it on some random sites to try and get to know it.
Most of these tryouts worked just fine, but i still cant get it to crack the Level.
I solved it by hand, so its no big deal, but I’d really like to understand why it did not work here.
Basically, my Input stayed the same, cause it worked really well on other sites and did not seem to be deeply flawed. I just played around with verbosity, risk, and level settings but nothing worked. It also seems that defendtheweb is not blocking any of the requests made, so maybe somebody can point me in the right direction to
what i am overlooking plz

kamozey
6 days ago

0

I’ve never used SQLMap but, maybe the HTTP headers? DtW requires the PHP Session Id(sent with request automatically if using a browser) each time you want to view the level(s). Check if there’s a flag to specify the required headers.

You must be logged in to reply to this discussion. Login
1 of 5

This site only uses cookies that are essential for the functionality of this website. Cookies are not used for tracking or marketing purposes.

By using our site, you acknowledge that you have read and understand our Privacy Policy, and Terms of Service.

Dismiss