[Owasp-testing] Database Fingerprinting

Calderon, Juan Carlos (GE, Corporate, consultant) juan.calderon at ge.com
Wed Dec 16 09:55:57 EST 2009

Have you considered that authentication might be LDAP? You might need a LDAP injection instead of SQL, although similar they are not the same. 

Also, try 
- commenting using # instead of -- for old MySql
- using or 1=1 -- (no quotes) in case of numeric user id
- using or ''||'1' = '1' -- for identifying oracle
- closing parenthesis ' or 1=1) for applications filtering --
- using other operators ' or 'a' like 'a' -- for operator filtering
- and many more on http://ferruh.mavituna.com/sql-injection-cheatsheet-oku/
- if nothing works try more sophisticated filter evasion techniques http://www.steve-shead.com/2009/08/11/cross-site-scripting-cheat-sheet/
- And you might want to read the OWASP Sql Injection prevention Cheat Sheet as you might be facing some of the countermeasures there http://www.owasp.org/index.php/SQL_Injection_Prevention_Cheat_Sheet

If you are able to make one successful request the others are pretty much simpler

Juan C Calderon

-----Original Message-----
From: owasp-testing-bounces at lists.owasp.org [mailto:owasp-testing-bounces at lists.owasp.org] On Behalf Of Zaki Akhmad
Sent: Miércoles, 16 de Diciembre de 2009 01:57 a.m.
To: owasp-testing
Subject: Re: [Owasp-testing] Database Fingerprinting

Thanks for all the responses

I haven't got any error messages. This site doesn't have many form except:
- authentication: userid and password
- quantity of the goods

I have tried both, inserting SQL injection command and it failed.
Sigh, this web applicationis good at handling input.

How do I do sqlmap to authenticated page?

This site has dynamic GET parameters. This web application automatically redirects to its home address if I hit this URL[1] without being succesfully authenticated.

Owasp-testing mailing list
Owasp-testing at lists.owasp.org

More information about the Owasp-testing mailing list