Sqlmap doesn't find basic sql injection in login form #4411

ostrolucky · 2020-10-30T12:24:54Z

Describe the bug
Website login form has a basic sql injection in form of just using ' or '1'='1 as a password, but sqlmap doesn't find it.

To Reproduce

Either make https://github.com/crashtest-security/fixme running locally, or use https://hack-me-if-you-can.herokuapp.com/?site=login.php
Run either sqlmap -u http://localhost:8080/\?site\=login.php --method=post --data="loggedin=on&username=admin&password=" --dbms=mysql -p password --not-string='Login unsuccessful!' ,
or
sqlmap -u "https://hack-me-if-you-can.herokuapp.com/?site=login.php" --method=post --data="loggedin=on&username=admin&password=" --dbms=mysql -p password --not-string='Login unsuccessful!' respectively

Expected behavior
NOT the current output:

[13:19:48] [WARNING] POST parameter 'password' does not seem to be injectable

I expect sqlmap would be able to log in and that way confirm that there actually is an sql injection present.

Running environment:

sqlmap version 1.4.7#stable
Installation method brew
Operating system: MacOS Catalina
Python version whatever is used in macos catalina, there are multiple python versions installed

Target details:

The text was updated successfully, but these errors were encountered:

stamparm · 2020-10-30T12:38:47Z

p.s. --drop-set-cookie --risk=3

ostrolucky added the bug report label Oct 30, 2020

stamparm closed this as completed Oct 30, 2020

stamparm removed the bug report label Oct 30, 2020

stamparm self-assigned this Oct 30, 2020

stamparm added the support label Oct 30, 2020

sqlmapproject locked and limited conversation to collaborators Oct 30, 2020

Provide feedback