Why SQLMap Doesn’t Attack Specified Parameter?

I am new to SQLMap. I have setup Kali and OWASPBWA VM. Both VMs are on same NAT Network set in VirtualBox.

When I try to run following command:

sqlmap -u "http://<IP_ADDRESS>/mutillidae/index.php?page=user-info.php?username=111&password=bbb&user-info-php-submit-button=View+Account+Details" -p username

I get following messages:

  • Previous heuristics detected that the target is protected by some kind of WAF/IPS.
  • Multiple messages – Unable to connect to the targeturl. sqlmap is trying to reconnect.
  • heuristics test shows that GET parameter ‘username’ might not be injectable.

There are several YouTube videos which display same setup with above 2 VMs, and are able to run the command and find injection in username parameter. What am I doing wrong? Please help.

Go to Source
Author: Amit

SQLMap Only Returns information_schema

I run this command python sqlmap.py -u https://acme.com/post.php --data "id=1" --tamper="between,randomcase,space2comment" -v 3 --random-agent --dbs but SQLMap only returns information_schema database.

Is there something wrong (if so, is there anything I can do to circumvent it ?) or the database really only has 1 database ?

Go to Source
Author: maximillian1

How to determine possible SQL injection vulnerability?

I ran the OWASP SQL injection scanner tool on a website’s sign-in page I formerly operated and two vulnerable parameters displayed. The first parameter was “returnURL” and the second one was “isLogin” showing POST DATA: IsLogin=true AND 1=1 —

What does this mean and how do I exploit this for testing purposes and ultimately fix the potential error? Should I use a Kali tool such as MySQL or do you have other suggestions?

Go to Source
Author: thenewcoder