DVWA no se puede inyectar con SQLMAP [id no es inyectable]

0

Estoy tratando de detectar los ataques de inyección SQL de DVWA con sqlmap , estoy usando la opción más simple que brinda, pero es extraño que a veces funcione y otras no, mostrando un mensaje similar a:

...parameter 'X' does not seem to be injectable...

También he intentado con las opciones level y risk sin éxito. A continuación se muestra la salida.

El comando que estoy usando es:

$ sqlmap -u "http://localhost:82/dvwa/vulnerabilities/sqli/?id=1"
[13:01:30] [INFO] testing connection to the target URL
sqlmap got a 302 redirect to 'http://localhost:82/dvwa/login.php'. Do you want to follow? [Y/n] y
[13:01:32] [INFO] testing if the target URL content is stable
[13:01:32] [WARNING] GET parameter 'id' does not appear to be dynamic
[13:01:32] [WARNING] heuristic (basic) test shows that GET parameter 'id' might not be injectable
[13:01:32] [INFO] testing for SQL injection on GET parameter 'id'
[13:01:32] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[13:01:33] [INFO] testing 'MySQL >= 5.0 boolean-based blind - Parameter replace'
[13:01:33] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)'
[13:01:34] [INFO] testing 'PostgreSQL AND error-based - WHERE or HAVING clause'
[13:01:34] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause (IN)'
[13:01:34] [INFO] testing 'Oracle AND error-based - WHERE or HAVING clause (XMLType)'
[13:01:35] [INFO] testing 'MySQL >= 5.0 error-based - Parameter replace (FLOOR)'
[13:01:35] [INFO] testing 'MySQL inline queries'
[13:01:35] [INFO] testing 'PostgreSQL inline queries'
[13:01:35] [INFO] testing 'Microsoft SQL Server/Sybase inline queries'
[13:01:35] [INFO] testing 'PostgreSQL > 8.1 stacked queries (comment)'
[13:01:35] [INFO] testing 'Microsoft SQL Server/Sybase stacked queries (comment)'
[13:01:36] [INFO] testing 'Oracle stacked queries (DBMS_PIPE.RECEIVE_MESSAGE - comment)'
[13:01:36] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind'
[13:01:36] [INFO] testing 'PostgreSQL > 8.1 AND time-based blind'
[13:01:37] [INFO] testing 'Microsoft SQL Server/Sybase time-based blind (IF)'
[13:01:37] [INFO] testing 'Oracle AND time-based blind'
[13:01:38] [INFO] testing 'Generic UNION query (NULL) - 1 to 10 columns'
[13:01:42] [WARNING] GET parameter 'id' does not seem to be injectable
[13:01:42] [CRITICAL] all tested parameters do not appear to be injectable. Try to increase values for '--level'/'--risk' options if you wish to perform more tests. If you suspect that there is some kind of protection mechanism involved (e.g. WAF) maybe you could try to use option '--tamper' (e.g. '--tamper=space2comment')

[*] shutting down at 13:01:42
    
pregunta aneela 21.05.2018 - 10:12
fuente

0 respuestas

Lea otras preguntas en las etiquetas