We read every piece of feedback, and take your input very seriously.
To see all available qualifiers, see our documentation.
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Describe the bug Website login form has a basic sql injection in form of just using ' or '1'='1 as a password, but sqlmap doesn't find it.
' or '1'='1
To Reproduce
sqlmap -u http://localhost:8080/\?site\=login.php --method=post --data="loggedin=on&username=admin&password=" --dbms=mysql -p password --not-string='Login unsuccessful!'
sqlmap -u "https://hack-me-if-you-can.herokuapp.com/?site=login.php" --method=post --data="loggedin=on&username=admin&password=" --dbms=mysql -p password --not-string='Login unsuccessful!'
Expected behavior NOT the current output:
[13:19:48] [WARNING] POST parameter 'password' does not seem to be injectable
I expect sqlmap would be able to log in and that way confirm that there actually is an sql injection present.
Running environment:
Target details:
The text was updated successfully, but these errors were encountered:
p.s. --drop-set-cookie --risk=3
--drop-set-cookie --risk=3
Sorry, something went wrong.
stamparm
No branches or pull requests
Describe the bug
Website login form has a basic sql injection in form of just using
' or '1'='1
as a password, but sqlmap doesn't find it.To Reproduce
sqlmap -u http://localhost:8080/\?site\=login.php --method=post --data="loggedin=on&username=admin&password=" --dbms=mysql -p password --not-string='Login unsuccessful!'
,or
sqlmap -u "https://hack-me-if-you-can.herokuapp.com/?site=login.php" --method=post --data="loggedin=on&username=admin&password=" --dbms=mysql -p password --not-string='Login unsuccessful!'
respectivelyExpected behavior
NOT the current output:
I expect sqlmap would be able to log in and that way confirm that there actually is an sql injection present.
Running environment:
Target details:
The text was updated successfully, but these errors were encountered: