Why SQLMap Doesn’t Attack Specified Parameter?

I am new to SQLMap. I have setup Kali and OWASPBWA VM. Both VMs are on same NAT Network set in VirtualBox.

When I try to run following command:

sqlmap -u "http://<IP_ADDRESS>/mutillidae/index.php?page=user-info.php?username=111&password=bbb&user-info-php-submit-button=View+Account+Details" -p username

I get following messages:

  • Previous heuristics detected that the target is protected by some kind of WAF/IPS.
  • Multiple messages – Unable to connect to the targeturl. sqlmap is trying to reconnect.
  • heuristics test shows that GET parameter ‘username’ might not be injectable.

There are several YouTube videos which display same setup with above 2 VMs, and are able to run the command and find injection in username parameter. What am I doing wrong? Please help.

Go to Source
Author: Amit

Can someone Inject malicious SQL to my SQL query?

I build a simple chat with MySQL. It has a table called users and two colums: id and username. I use the following query to extract username and ID by ID.

Is there a way someone can Inject malicios SQL ? and How ?

Limit is used to only allow 1 result to come out

$query = 'SELECT id, username FROM users WHERE id=' . $id . ' LIMIT 1';

Go to Source
Author: harabatahat